H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Abstract

Translated from Chinese

本发明实施例公开了一种加密通信方法、装置及系统，涉及通信领域。 Example discloses an encrypted communication method, apparatus and system, the present invention relates to the field of communications.为了能够在保证数据安全的前提下，减轻M2M系统内设备的处理负担，本发明实施例提供如下技术方案：为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥；在确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息。 The encryption key for the terminal only bound to the first application and the first application assigned the same: In order to ensure data security in the premise, the system reduces the processing load within the M2M device, embodiments of the present invention provides the following technical solutions. ; upon determining that the terminal and the application uses the same first encryption key to communicate transparently transmit information exchanged between the terminal and the first application.本发明适用于加密传输。 The present invention is applicable to encrypted transmission.

Description

Translated from Chinese

加密通信方法、装置及系统 The encrypted communication method, apparatus and system for

[0002] M2M(Machine-to-Machine Communicat1ns,机器通信)是一种以机器智能交互为核心的、网络化的应用与服务。 [0002] M2M (Machine-to-Machine Communicat1ns, machine communication) is a kind of intelligent machine interaction as the core, network-based applications and services.图1是一种典型的M2M系统架构。 FIG. 1 is a typical M2M system architecture.其中，各种M2M终端设备直接或者通过M2M网关连接到M2M业务平台，而各种M2M应用(如电力抄表、智能交通等)则通过M2M业务平台获取M2M终端采集的数据或对M2M终端进行控制。 Wherein various M2M terminal connected directly or through the internet to the M2M M2M service gateway, and a variety of M2M applications (e.g. power meter, intelligent traffic) is acquired by the data acquisition terminal M2M M2M service platform or control terminal of the M2M .

[0003] 由于M2M应用与M2M终端之间所交互的数据往往具有较高的商业价值或敏感性，因此，M2M系统需要支持加密的数据传输能力，以避免有用数据信息泄露给任何恶意的第三方。 [0003] Due to the interaction between M2M applications and M2M terminal data tend to have high commercial value or sensitivity, therefore, M2M system needs to support encrypted data transmission capabilities, in order to avoid disclosure of useful data information to any third party malicious .并且，为了满足国家安全机关以及相关监管机构的监管需求，要求M2M业务平台能够获知相应的通信加密密钥，在相关监管机构的授权下解密和获取M2M终端与M2M应用之间发送的数据内容。 And, in order to meet the regulatory requirements of national security agencies and regulatory bodies, requiring M2M service platform can learn the appropriate communication encryption key to decrypt and access the data content sent between the M2M terminal and M2M applications under the authority of the relevant regulatory authorities.为此,M2M业务平台可作为KDC(KeyDistribut1n Center,密钥分发中心)为M2M终端和M2M应用分别分发通信加密密钥，同时保存该加密密钥以备用于合法监听。 For this purpose, as M2M service platform KDC (KeyDistribut1n Center, the key distribution center) of the M2M terminal and M2M application are distributed communication encryption key, while the encryption key stored in preparation for lawful interception.

[0004] 在实现本发明的过程中，发明人发现现有技术中至少存在如下问题:在实际部署中，如果简单地为所有的M2M应用及M2M终端分发相同的通信加密密钥，不同的M2M应用之间不能保证相互隔离，那么该通信加密密钥很容易被获知，难以保证通信数据的安全。 [0004] During the implementation of the present invention, the inventor finds that the prior art at least the following problems: in an actual deployment, if simply distributing the same encryption key for all communication M2M applications and M2M terminals, different M2M isolated from each other between the applications can not be guaranteed, then the traffic encryption key can be easily known, it is difficult to ensure the security of communication data.

[0005] 但是，如果M2M业务平台为所有的M2M应用及M2M终端分配各自不同的通信加密密钥，并负责数据内容转发过程中的解密和重新加密处理，那么在M2M终端和M2M应用的数量较大时，M2M业务平台的处理负担较重，需要M2M业务平台具备较高的处理性能。 [0005] However, if the M2M service platform assign each a different communication encryption key for all M2M applications and M2M terminal, and is responsible for the data content decryption and re-encryption process forwards, then the number of M2M terminal and M2M applications than large, handle heavier burden M2M service platform, M2M service platform we need to have a higher processing performance.

[0006] 另外，如果M2M业务平台为相互间进行业务通信的M2M终端和M2M应用分配同一个通信加密密钥，并以透传的方式转发数据内容，那么，当一个M2M终端与多个M2M应用进行业务通信时，需要使用不同的通信加密密钥逐一加密发送和接收解密，而M2M终端设备往往是一些具有较低处理能力和供电受限的传感器和微控制器等，无法支持大运算量的加密处理逻辑和复杂的消息收发机制。 [0006] Further, if the M2M service platform to each other and the M2M application distribution M2M terminal communicating with a communication traffic encryption key, and in a manner transparent transmission of content data forwarding, then, when a plurality of M2M applications and M2M terminal when a communication service is required using a different encryption key individually encrypted communication send and receive the decryption, and often some M2M terminal device having lower power and limited processing power sensors and microcontrollers, can not support a large amount of calculation complex encryption processing logic and messaging mechanism.

发明内容 SUMMARY

[0007] 本发明的实施例提供一种加密通信方法、装置及系统，能够在保证数据安全的前提下，减轻M2M系统内设备的处理负担。 Example [0007] The present invention provides an encryption communication method, apparatus and system capable of ensuring data security in the premise, the system reduces the processing load within the M2M device.

[0008] 为达到上述目的，本发明的实施例采用如下技术方案: [0008] To achieve the above object, embodiments of the present invention adopts the following technical solutions:

[0010] 为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥； [0010] The terminal only bound to the first application and the first application assigned the same encryption key;

[0011] 在确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息。 [0011] When determining the terminal and the application uses the same first encryption key to communicate transparently transmit information exchanged between the terminal and the first application.

[0013] 密钥分配单元，用于为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥； [0013] The key distribution unit is used only to bind the same as the first terminal and the first application assigned encryption key;

[0014] 密钥存储单元，用于存储所述密钥分配单元为所述终端或所述第一应用分配的加密密钥； [0014] The key storage unit for storing the key distribution for the terminal unit or the encryption key assigned to the first application;

[0015] 加密通信单元，用于在根据所述密钥存储单元存储的加密密钥确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信肩、O [0015] The cryptographic communication unit for encryption key stored in the key storage unit determines the same encryption key with the terminal to communicate using the first application according to the terminal and the pass-through letter shoulder interaction between the first application, O

[0016] 一种加密通信系统，其特征在于，包括终端和业务平台和第一应用； [0016] An encryption communication system, comprising a first terminal and a service platform and application;

[0017] 所述业务平台，用于为仅与所述第一应用绑定的终端和所述第一应用分配相同的加密密钥；在确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息； [0017] The service platform, to the terminal only bound to the first application and the same encryption key allocated to the first application; determining the terminal and the first application to use the same encryption when the key for communication, the terminal information transmitted through an interaction between the first application;

[0018] 所述终端，用于获取所述业务平台分配的加密密钥，并根据获取的加密密钥对与所述第一应用之间交互的信息进行加密或解密； [0018] the terminal, for acquiring the encryption key assigned to the service platform, and the information interaction between the first application and encrypting or decrypting the encryption key according to the acquired;

[0019] 所述第一应用，用于获取所述业务平台分配的加密密钥，并根据获取的加密密钥对与所述终端之间交互的信息进行加密或解密。 [0019] the first application, configured to obtain the encryption key assigned to the service platform, and the information interaction between the terminal and the encryption or decryption in accordance with the acquired encryption key.

[0020] 本发明实施例提供的加密通信方法、装置及系统，通过为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥，并在所述终端与所述第一应用使用所分配的相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的经过相同加密密钥加密的信息。 An encryption communication method, apparatus and system provided by the [0020] present invention, the terminal only bound to the first application and the same encryption key allocated to the first application and the second terminal and the when a same encryption key using the assigned applications to communicate transparently transmit information over the same encryption key between the terminal and the interaction of the first application.因此，能够减少业务平台在转发信息过程中解密和重新加密的处理，减轻了业务平台的处理负担。 Therefore, it is possible to reduce the processing business platform decryption and re-encryption process of forwarding the information to reduce the processing load of the service platform.并且，终端也只需要使用单一的加密密钥在发送和接收业务消息时进行加密或解密处理。 Further, the terminal requires only a single encryption key at the transmitting and receiving service message or decryption process.减轻了处理能力和电源都比较有限的终端的处理负担。 Reducing the processing power and the power are relatively limited processing load of the terminal.从而，能够在保证数据安全的前提下，减轻了M2M系统内设备的处理负担，提高了M2M系统处理业务的性能。 This makes it possible to ensure data security in the premise, reduces the processing burden on the system within the M2M equipment to improve the performance of the M2M system processing business.

附图说明 BRIEF DESCRIPTION

[0021] 为了更清楚地说明本发明实施例的技术方案，下面将对实施例描述中所需要使用的附图作一简单地介绍，显而易见地，下面描述中的附图仅仅是本发明的一些实施例，对于本领域普通技术人员来讲，在不付出创造性劳动的前提下，还可以根据这些附图获得其他的附图。 [0021] In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings will be described below as required in the embodiment, a brief introduction Apparently, the drawings in the following description are only some of the present invention embodiments, those of ordinary skill in the art is concerned, without creative efforts, can derive from these drawings other drawings.

[0022] 图1为本发明实施例提供的一种加密通信方法的流程示意图； [0022] FIG. 1 is a schematic flow of an encryption communication method according to an embodiment of the present invention;

[0023] 图2为本发明实施例提供的一种密钥分配方法的流程示意图； [0023] FIG. 2 is a schematic flow of one kind of key distribution method according to an embodiment of the present invention;

[0024] 图3为本发明实施例提供的另一种密钥分配方法的流程示意图； [0024] FIG. 3 is a schematic flow Another key distribution method according to an embodiment of the present invention;

[0025] 图4为本发明实施例提供的另一种密钥分配方法的流程示意图； [0025] FIG. 4 is a schematic flow of another key distribution method according to an embodiment of the present invention;

[0026] 图5为本发明实施例提供的另一种密钥分配方法的流程示意图； [0026] FIG. 5 is a schematic flow of another key distribution method according to an embodiment of the present invention;

[0027] 图6为本发明实施例提供的另一种加密通信方法的流程示意图； [0027] FIG. 6 is a schematic of another process of encryption communication method according to an embodiment of the present invention;

[0028] 图7为本发明实施例提供的另一种加密通信方法的流程示意图； [0028] FIG. 7 is a schematic of another process encryption communication method according to an embodiment of the present invention;

[0029] 图8为本发明实施例提供的另一种加密通信方法的流程示意图； [0029] Figure 8 a schematic diagram of another flow of encrypted communication method according to an embodiment of the present invention;

[0030] 图9为本发明实施例提供的另一种加密通信方法的流程示意图； [0030] FIG. 9 is a schematic of another process encryption communication method according to an embodiment of the present invention;

[0031] 图10为本发明实施例提供的另一种加密通信方法的流程示意图； [0031] FIG. 10 is a schematic of another process of the encrypted communication method according to an embodiment of the present invention;

[0032] 图11为本发明实施例提供的另一种加密通信方法的流程示意图； [0032] FIG. 11 is a schematic of another process encryption communication method according to an embodiment of the present invention;

[0033] 图12为本发明实施例提供的一种加密通信装置的构成示意图； [0033] FIG. 12 is a schematic configuration of an encryption communication apparatus according to an embodiment of the present invention;

[0034] 图13为本发明实施例提供的一种加密通信系统的构成示意图。 [0034] FIG 13 a schematic configuration of a cryptographic communication system according to an embodiment of the present invention.

具体实施方式 Detailed ways

[0035] 下面将结合本发明实施例中的附图，对本发明实施例中的技术方案进行清楚、完整地描述，显然，所描述的实施例仅仅是本发明一部分实施例，而不是全部的实施例。 [0035] below in conjunction with the present invention in the accompanying drawings, technical solutions of embodiments of the present invention are clearly and completely described, obviously, the described embodiments are merely part of embodiments of the present invention, but not all embodiments example.基于本发明中的实施例，本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例，都属于本发明保护的范围。 Based on the embodiments of the present invention, those of ordinary skill in the art to make all other embodiments without creative work obtained by, it falls within the scope of the present invention.

[0036] 为了能够在保证数据安全的前提下，减轻M2M系统内设备的处理负担，本发明实施例提供了一种加密通信方法，如图1所示，包括: [0036] In order to ensure data security in the premise, the system reduces the processing load within the M2M device, embodiments of the present invention provides a method of encrypted communication, shown in Figure 1, comprising:

[0037] 101、业务平台为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥； [0037] 101, only the service platform for the key to bind the first terminal and the same encryption dispensing the first application;

[0038] 在本步骤101中，还为与多个应用绑定或未与任何应用绑定的终端单独分配加密密钥；或者，在确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥； [0038] In this step 101, as well as assigning the plurality of terminals to bind or to bind with any individual encryption key; or, only when it is determined to bind the first terminal does not exist, as dispensing the first application separate encryption key;

[0039] 在本发明实施例中，应用是指获取终端采集的数据或对终端进行控制的设备。 [0039] In an embodiment of the present invention, the application means of obtaining data collection terminals or controlling the terminal device.并且，终端与应用之间的绑定关系通常是指特定时间段内相对稳定的签约绑定关系，例如在签约开通M2M业务时，在M2M系统运营商的签约数据库中所配置的特定M2M终端与特定M2M应用之间的M2M业务通信关系。 Further, the binding relationship between the terminal and the application generally refers to a particular subscription period relatively stable binding relationship, such as when opened M2M service contract, configured in the M2M system operator subscription database specific M2M terminal M2M service communication relationships between specific M2M applications.并且，终端或应用的签约信息在以后的某一时间也可能发生修改和变化，从而引起所述绑定关系的改变。 And, subscription information of the terminal or application may occur modifications and variations some later time, causing changes in the binding relationship.

[0040] 在本步骤中，可以通过至少以下四种方式进行加密密钥的分配: [0040] In this step, the encryption key can be allocated by the at least four ways:

[0043] 10111、业务平台接收由终端发送的注册请求或密钥获取请求； [0043] 10111, the service platform receives the registration request sent by a terminal or a key acquisition request;

[0044] 10112、业务平台根据所述注册请求或密钥获取请求，获取所述终端的绑定关系，并根据所述终端的绑定关系判断所述终端是否仅与一个应用绑定； [0044] 10112, the service platform according to the registration request, or obtaining a key request, obtain the binding relationship of the terminal, and the terminal is bound to only one application is determined according to the binding relationship of the terminal;

[0045] 具体可以为:业务平台可以从所述注册请求或密钥获取请求中获取所述终端的标识，根据所述终端的标识从数据库中查询所述终端的签约配置信息，根据所述签约配置信息获取所述终端的绑定关系。 [0045] specifically as: acquisition request may acquire the identifier of the terminal registration request from a service platform or key, according to the identifier of the terminal configuration query subscription information of the terminal from the database, according to the subscription binding relationship obtaining configuration information of the terminal.或者，业务平台也可以从所述注册请求或密钥获取请求中获取相关的指示信息，例如，所述指示信息为与所述终端存在绑定关系的应用标识列表，根据所述指示信息获取所述终端的绑定关系。 Alternatively, the service platform may also be obtained from the registration request or the key obtaining request instruction information on, for example, the application identifier list indicating presence information for the binding relationship with the terminal, according to the indication information acquired by the said terminal binding relationship.

[0046] 在获得所述终端的绑定关系后，根据该绑定关系判断所述终端是否仅与一个应用存在绑定关系，即所述终端仅与某一应用之间发送业务通信，而不与其他应用通信。 [0046] After obtaining the binding relationship of the terminal, according to the binding relationship between the terminal determines whether only a binding relationship with the present application, i.e. the communication terminal only transmits traffic between an application and without communication with other applications.若判定所述终端仅与一个应用绑定，则将该应用作为第一应用，进入步骤10113。 If the terminal is determined to bind only one, then the application as a first application, proceeds to step 10113.否则，若判定所述终端与多个应用存在绑定关系，或者所述终端不与任何应用存在绑定关系，则跳至步骤10116。 Otherwise, if it is determined that the terminal binding relationship with a plurality of applications, or the binding relationship between the terminal does not any application exists, skip to step 10116.

[0047] 10113、业务平台判断是否已为所述第一应用分配了加密密钥。 [0047] 10113, the service platform is determined whether an encryption key has been assigned to the first application.

[0048] 例如，业务平台根据所述第一应用的标识从数据库中查询是否已为该第一应用分配了加密密钥。 If [0048] For example, the service platform according to the identifier of the first application from the database query has been assigned an encryption key for the first application.若是，则进入步骤10114，否则，跳至步骤10115。 If yes, go to step 10114. Otherwise, skip to step 10115.

[0049] 10114、业务平台获取已为该第一应用分配的加密密钥，作为分配给所述终端的加密密钥，跳至步骤10117。 [0049] 10114, the service platform obtains the encryption key for the first application has been assigned, as an encryption key assigned to the terminal, skip to step 10117.

[0050] 10115、业务平台生成新的加密密钥，作为分配给该第一应用和该终端的加密密钥保存，跳至步骤10117。 [0050] 10115, the service platform generates a new encryption key as the encryption of the first application is assigned to the terminal and a key storage, skip to step 10117.

[0051] 10116、业务平台为所述终端单独分配新的加密密钥，S卩，生成一个新的加密密钥，作为分配给所述终端的加密密钥保存，跳至步骤10117。 [0051] 10116, the service platform for the terminal assigned a separate new encryption key, S Jie, generates a new encryption key as the encryption key allocated to the terminal is stored, go to step 10117.

[0052] 10117、向所述终端发送分配给所述终端的加密密钥。 [0052] 10117, transmits to the terminal an encryption key assigned to the terminal.

[0055] 10121、业务平台接收由第一应用发送的注册请求或密钥获取请求； [0055] 10121, the service platform receives the acquisition request or a registration request sent by the first application key;

[0056] 10122、业务平台根据所述注册请求或密钥获取请求，获取所述第一应用的绑定关系，并根据所述第一应用的绑定关系判断仅与所述第一应用绑定的终端是否存在。 [0056] 10122, the service platform the acquisition request according to the registration request or the key, obtain the binding relationship of the first application, and is determined according to the binding relationship of the first application is only to bind the first the terminal is present.

[0057] 具体可以为:业务平台从所述注册请求或密钥获取请求中获取所述第一应用的标识，根据所述第一应用的标识从数据库中查询所述第一应用的签约配置信息，根据所述签约配置信息获取所述第一应用的绑定关系，其中，该绑定关系包括仅与所述第一应用绑定的终端信息。 [0057] specifically as follows: the service platform obtains from the key request or the registration request obtains the identifier of the first application, the first querying the subscription application configuration information from the database according to the identifier of the first application according to the binding relationship obtaining subscription configuration information of the first application, wherein the binding relationship between the terminal information including only bound to the first application.或者，业务平台从所述注册请求或密钥获取请求中获取相关的指示信息，例如，所述指示信息为仅与所述第一应用存在绑定关系的终端标识列表，根据所述指示信息获取所述第一应用的绑定关系，其包括仅与所述第一应用绑定的终端信息。 Alternatively, the service platform obtains the registration request from the key request or indication related to acquired information, e.g., information indicating the terminal identification list is only bound to the first application relationship exists, according to the indication information acquired the binding relationship of the first application, the terminal information which includes only the first application of binding.

[0058] 根据仅与所述第一应用绑定的终端信息判断是否存在仅与所述第一应用绑定的终端，即是否存在至少一个终端仅与所述第一应用发送业务通信而不与其他应用通信。 [0058] The first to bind only to the terminal information terminal determines whether there is only bound to the first application, i.e., whether there is only one terminal of at least the first application to send a service without communicating with other applications communicate.若是，则进入步骤10123，否则跳至步骤10126。 If yes, go to step 10123. Otherwise, skip to step 10126.

[0059] 10123、业务平台判断是否已为这些仅与第一应用绑定的终端分配了加密密钥。 [0059] 10123, the service platform is determined whether an encryption key has been assigned to these terminals only bound to the first application.

[0060] 例如，业务平台可以根据这些仅与第一应用绑定的终端的标识从数据库中查询是否已为这些终端分配了加密密钥。 If [0060] For example, the service platform can query the database according to the identifier from the first application is only bound to the terminal encryption key assigned to the terminals.若已为这些终端分配了加密密钥，则进入步骤10124，否贝丨J，跳至步骤10125。 Ruoyi assigned to these terminals an encryption key, the process proceeds to step 10124, whether shellfish J Shu, skip to step 10125.

[0061] 10124、业务平台获取已为这些终端分配的加密密钥，作为分配给第一应用的加密密钥，进入步骤10127。 [0061] 10124, the service platform obtains the encryption key assigned to these terminals, as an encryption key assigned to the first application proceeds to step 10127.

[0062] 10125、业务平台生成新的加密密钥，作为分配给第一应用和这些终端的加密密钥保存，进入步骤10127。 [0062] 10125, the service platform generates a new encryption key as the encryption key assigned to the first application and preservation of these terminals, it proceeds to step 10127.

[0063] 10126、业务平台为所述第一应用单独分配新的加密密钥，即，生成一个新的加密密钥，作为分配给所述第一应用的加密密钥保存。 [0063] 10126, the first application service platform separate dispensing a new encryption key, i.e., generate a new encryption key as the encryption key assigned to the stored first application.

[0064] 10127、业务平台向第一应用发送分配给该第一应用的加密密钥。 [0064] 10127, the service platform sends an encryption key assigned to the first application of the first application.

[0067] 10131、在业务平台接收第一终端的密钥更新请求或触发第一终端的更新设定规则时，获取所述第一终端绑定的绑定关系，并根据所述第一终端的绑定关系判断所述终端是否仅与个应用绑定； [0067] 10131, at key update request service platform receives a first terminal of a first rule set or triggered update terminal, acquiring the terminal bound first binding relationship, and in accordance with the first terminal determining whether the binding relationship between the terminal and only bound applications;

[0068] 具体可以为:业务平台可以从第一终端处接收第一终端的密钥更新请求，根据该密钥更新请求进行密钥更新。 [0068] specifically as follows: the service platform may receive a key update request from the first terminal at the first terminal, for updating the key according to the key update request.或者，业务平台也可以根据预先设定的更新设定规则，触发第一终端的更新。 Alternatively, the service platform may be updated based on a preset setting rule, triggers an update of the first terminal.例如，基于时间的周期性触发更新，或者，第一终端与业务平台所交互的业务数据量达到一定的门限时触发更新，或因特定安全事件(例如系统入侵检测)触发更新坐寸O For example, based on time-triggered periodic updates, or the amount of traffic data of the first terminal and the interactive service platform reaches a certain threshold trigger renewed or specific security events (such as intrusion detection system) triggers an update to sit inch O

[0069] 业务平台可以在接收到第一终端的密钥更新请求后，从该第一终端的密钥更新请求中获取第一终端的标识，根据第一终端的标识从数据库中查询第一终端的签约配置信息，根据所述签约配置信息获取第一终端的绑定关系。 [0069] The service platform may obtain the identifier of the first terminal of the key update request from the first terminal upon receiving the key update request of the first terminal, a first terminal inquiry from the database according to the identifier of the first terminal subscription configuration information, the configuration information acquisition binding relationship according to the subscription of the first terminal.或者，业务平台也可以在接收到第一终端的密钥更新请求后，从该第一终端的密钥更新请求中获取相关的指示信息，例如，所述指示信息为与第一终端存在绑定关系的应用标识列表，根据所述指示信息获取第一终端的绑定关系。 Alternatively, the service platform may obtain relevant information from the key update request indicating the first terminal upon receiving the key update request of the first terminal, e.g., information indicating the presence of bound first terminal relationship application identifier list, a binding relationship obtaining a first terminal based on the indication information.或者，业务平台在触发第一终端的更新设定规则时，获取第一终端的标识，根据第一终端的标识从数据库中查询第一终端的签约配置信息，根据所述签约配置信息获取第一终端的绑定关系。 Alternatively, when the service platform is triggered to update the rule set of the first terminal, the first terminal obtains the identifier of the query subscription configuration information of the first terminal from the database according to the identifier of the first terminal according to the subscription information obtaining first configuration binding relationship of the terminal.

[0070] 在获得第一终端的绑定关系后，根据该绑定关系判断第一终端是否仅与一个应用存在绑定关系，即所述终端仅与某一应用之间发送业务通信，而不与其他应用通信。 [0070] After obtaining the binding relationship of the first terminal, according to the binding relationship between the first terminal determines whether only a binding relationship with the present application, i.e. the communication terminal only transmits traffic between an application and without communication with other applications.若判定第一终端仅与一个应用绑定，则将该应用作为第一应用，进入步骤10132。 If it is determined to bind the first terminal and only one application, the first application as the application proceeds to step 10132.否则，若判定第一终端与多个应用存在绑定关系，或者第一终端不与任何应用存在绑定关系，则跳至步骤10135。 Otherwise, if it is determined a first terminal and a binding relationship a plurality of applications, or a binding relationship between the first terminal is not any application exists, skip to step 10135.

[0071] 10132、业务平台获取仅与所述第一应用绑定的所有终端。 [0071] 10132, the service platform obtains all of the terminals only bound to the first application.

[0072] 例如，业务平台获取所述第一应用的标识，并根据该第一应用的标识查询签约配置信息，获取仅与所述第一应用绑定的所有终端的标识。 [0072] For example, obtaining the service platform identifier of the first application, and the query subscription configuration information according to the identifier of the first application, obtaining identifications of the terminals only bound to the first application.进入步骤10133。 Proceeds to step 10133.

[0073] 10133、业务平台生成新的加密密钥，作为分配给第一应用和仅与所述第一应用绑定的所有终端的加密密钥保存。 [0073] 10133, the service platform generates a new encryption key as the encryption key assigned to the first application and all terminals only bound to the first application storage.进入步骤10134。 Proceeds to step 10134.

[0074] 10134、业务平台向所述第一应用以及仅与所述第一应用绑定的所有终端发送分配的加密密钥。 [0074] 10134, the service platform sends the encrypted key assigned to the first application and all terminals only bound to the first application.

[0075] 10135、业务平台为第一终端单独分配新的加密密钥，即生成新的加密密钥，作为分配给第一终端的加密密钥保存。 [0075] 10135, assigned to the terminal service platform separate a first new encryption key, i.e., generate a new encryption key as an encryption key assigned to the first terminal of the storage.进入步骤10136。 Proceeds to step 10136.

[0076] 10136、业务平台向所述第一终端发送分配的加密密钥。 [0076] 10136, the service platform sends the encrypted key assigned to the first terminal.

[0079] 10141、在业务平台接收第一应用的密钥更新请求或触发第一应用的更新设定规则时，获取所述第一应用的绑定关系，并根据所述第一应用的绑定关系判断是否存在仅与所述第一应用绑定的终端； [0079] 10141, at key update request or update trigger rule setting a first application receiving a first application service platform, obtain the binding relationship of the first application, and bind the first application according to the relationship between the terminal determines whether there is only bound to the first application;

[0080] 具体可以为:业务平台可以从第一应用处接收第一应用的密钥更新请求，根据该密钥更新请求进行密钥更新。 [0080] specifically as follows: the service platform may receive a key update request from the first application at a first application, a key update based on the key update request.或者，业务平台也可以根据预先设定的更新设定规则，触发第一应用的更新。 Alternatively, the service platform can also be updated in accordance with the preset setting rules, triggers an update of the first application.例如，基于时间的周期性触发更新，或者，第一应用与业务平台所交互的业务数据量达到一定的门限时触发更新，或因特定安全事件(例如系统入侵检测)触发更新坐寸ο For example, based on time-triggered periodic updates, or the amount of data of the first business applications and business interaction platform reaches a certain threshold trigger renewed or specific security events (such as intrusion detection system) triggers an update to sit inch ο

[0081] 业务平台可以在接收到第一应用的密钥更新请求后，从该第一应用的密钥更新请求中获取第一应用的标识，根据第一应用的标识从数据库中查询第一应用的签约配置信息，根据所述签约配置信息获取第一应用的绑定关系，其中，该绑定关系包括仅与第一应用绑定的终端信息。 [0081] The service platform may obtain the identifier of the first application from the first application key update request after receiving the key update request to a first application, the first application queries the database according to the identifier from the first application subscription configuration information, the terminal information of the binding relationship obtaining subscription configuration information of the first application, wherein the binding relationship comprises only bound to the first application. FIG.或者，业务平台也可以在接收到第一应用的密钥更新请求后，从该第一应用的密钥更新请求中获取相关的指示信息，例如，所述指示信息为仅与第一应用存在绑定关系的终端标识列表，根据所述指示信息获取包括仅与第一应用绑定的终端信息的第一应用的绑定关系。 Alternatively, the service platform may obtain relevant information from the key update request indicating the first application in the key update request after receiving the first application, for example, the indication information is tied to the presence of only the first application terminal identification list given relation, the binding relationship obtaining terminal information comprises first application only bound to the first application according to the indication information.或者，业务平台在触发第一应用的更新设定规则时，获取第一应用的标识，根据第一应用的标识从数据库中查询第一应用的签约配置信息，根据所述签约配置信息获取包括仅与第一应用绑定的终端信息的第一应用的绑定关系。 Alternatively, when the service platform is triggered to update the rule set to a first application, the application obtaining a first identifier, the first application according to the identification information of the first query subscription configuration application from the database, according to the subscription information obtaining configuration comprising only binding relationship of the first application of information terminal bound with the first application.

[0082] 根据所述仅与第一应用绑定的终端信息判断是否存在仅与所述第一应用绑定的终端，即是否存在至少一个终端仅与所述第一应用发送业务通信而不与其他应用通信。 [0082] The terminal information only to the first application is determined whether there is only bound to the first terminal and the application of the binding, i.e. whether at least one terminal transmits only the first application service without communicating with other applications communicate.若判定存在仅与第一应用绑定的终端，则进入步骤10142。 If the terminal determines that there is only bound to the first application, the process proceeds to step 10142.否则，跳至步骤10144。 Otherwise, skip to step 10144.

[0083] 10142、业务平台生成新的加密密钥，作为分配给第一应用和仅与所述第一应用绑定的所有终端的加密密钥保存。 [0083] 10142, the service platform generates a new encryption key as the encryption key assigned to the first application and all terminals only bound to the first application storage.进入步骤10143。 Proceeds to step 10143.

[0084] 10143、业务平台向所述第一应用以及仅与所述第一应用绑定的所有终端发送分配的加密密钥。 [0084] 10143, the service platform sends the encrypted key assigned to the first application and all terminals only bound to the first application.

[0085] 10144、业务平台为第一应用单独分配新的加密密钥，即生成新的加密密钥，作为分配给第一应用的加密密钥保存。 [0085] 10144, the service platform for the first application to allocate a separate new encryption key, i.e., generate a new encryption key as an encryption key assigned to the first application of save.进入步骤10145。 Proceeds to step 10145.

[0086] 10145、业务平台向所述第一应用发送分配的加密密钥。 [0086] 10145, the service platform sends the encrypted key assigned to the first application.

[0087] 在本发明实施例中，业务平台可以通过至少以下几种方式实现加密密钥的发送:a、通过M2M业务平台与M2M终端之间已建立的安全传输通道发送，如短消息，安全网际协议(Internet Protocol Security, IPSec),安全传输层协议(Transport Layer Security,TLS) ;b、通过预先配置的密钥(如M2M终端的非对称公钥，或M2M业务平台与M2M终端之间共享的对称密钥)将所述加密密钥加密后发送；c、通过其它安全的终端配置技术发送，如开放移动联盟(Open Mobile Alliance,0MA)定义的设备管理(Device Management,DM)和客户端配置(ClientProvis1ning, CP)等。 [0087] In an embodiment of the present invention, the service platform may be achieved by sending the encryption key at least in the following ways: a, by the M2M service platform between the terminal and the M2M established secure channel to send a transmission, such as short messaging, security internet protocol (internet protocol security, IPSec), Transport Layer security (Transport Layer security, TLS); b, pre-configured by the key (e.g. public key of an asymmetric between the M2M terminal or terminals and the M2M M2M service platform to share symmetric key) after transmitting the encryption key; C, other security configuration technique sent via a terminal, such as the open mobile Alliance (open mobile Alliance, 0MA) defined device management (device management, DM) client, and configuration (ClientProvis1ning, CP) and the like.

[0088] 102、业务平台在确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息。 [0088] 102, internet service in the terminal and determining when the first application using the same encryption key to communicate transparently transmit information exchanged between the terminal and the first application.

[0089] 举例而言，业务平台在为与其连接的终端和应用分配了加密密钥后，接收某一终端发送的通信信息时，可以确定该终端的绑定关系，由于在该终端仅与一个应用绑定时，该终端与所绑定的应用之间是使用相同的加密密钥进行通信的，因而业务平台不对该通信信息进行解密和重新加密处理，直接透传给对应的应用。 When [0089] For example, the service platform for the application in the terminal connected thereto and the encryption key is allocated, a receiving communication information transmitted from the terminal, the terminal may determine the binding relationship, since only one of the terminal applying binding between the binding terminal and the application is using the same encryption key for communication, and therefore the service platform does not perform the decryption and re-encryption process communication information, pass directly through the corresponding application.而业务平台在接收某一应用发送的通信信息时，可以确定作为该应用的发送目标的终端的绑定关系，由于该终端仅与该应用绑定时，该终端与该应用之间是使用相同的加密密钥进行通信的，因而业务平台不对该通信信息进行解密和重新加密处理，直接透传给该终端。 And the service platform upon receiving the communication information sent by an application, may be determined as the transmission target binding relationship of the application terminal, the terminal is only due to binding with the application, between the terminal and the application using the same encryption key for communication, and therefore the service platform does not perform decryption and re-encryption process, directly and transparently pass the message to the communication terminal.

[0090] 另外，由于M2M终端本身是一些处理能力和网络连接能力都非常有限的简单的传感器设备，因此，在很多情况下，M2M终端需要通过M2M网关连接到M2M业务平台，并且需要由该M2M网关代理M2M终端处理通信内容的加密和解密。 [0090] Further, since the M2M terminal itself is some processing capabilities and network connection capabilities are very limited simple sensor device, and therefore, in many cases, M2M terminals need to be connected via an M2M gateway to the M2M service platform, and require a the M2M M2M terminal processing of the communication gateway proxy encryption and decryption of content.此时，M2M业务平台可将所述M2M网关作为一个M2M终端为其分发和更新加密密钥。 In this case, the service platform may M2M M2M M2M terminal as a gateway for distribution and updating the encryption key.具体地，当多个M2M终端通过公共的M2M网关与M2M业务平台相连接时，若这些M2M终端均仅与同一个M2M应用绑定，则可将该M2M网关看作仅与该M2M应用存在绑定关系的M2M终端，否则，将该M2M网关看作不与任何M2M应用存在单一绑定关系的M2M终端。 In particular, when a plurality of M2M terminals connected through a common gateway and the M2M M2M service platform, if these terminals are M2M M2M application with the same binding, the M2M gateway may be considered as merely tying the M2M application is present given relation M2M terminal, otherwise, the M2M M2M terminal gateway viewed as the absence of a single binding relationship with any M2M application.为表述简单起见，在本发明实施例中，所述终端均包括上述M2M网关的含义。 The expression for the sake of simplicity, in the embodiment of the present invention, the terminal includes a gateway M2M defined above.

[0091] 本发明实施例提供的加密通信方法，通过为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥，并在所述终端与所述第一应用使用所分配的相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的经过相同加密密钥加密的信息。 [0091] The encrypted communication method according to an embodiment of the present invention, only the same terminal as the first application and assigned to bind the first encryption key, and the terminal and in the first application using the when the same encryption key allocated to communicate transparently transmit information over the same encryption key between the terminal and the interaction of the first application.因此，能够减少业务平台在转发信息过程中解密和重新加密的处理，减轻了业务平台的处理负担。 Therefore, it is possible to reduce the processing business platform decryption and re-encryption process of forwarding the information to reduce the processing load of the service platform.并且，终端也只需要使用单一的加密密钥在发送和接收业务消息时进行加密或解密处理。 Further, the terminal requires only a single encryption key at the transmitting and receiving service message or decryption process.减轻了处理能力和电源都比较有限的终端的处理负担。 Reducing the processing power and the power are relatively limited processing load of the terminal.从而，能够在保证数据安全的前提下，减轻了M2M系统内设备的处理负担，提高了M2M系统处理业务的性能。 This makes it possible to ensure data security in the premise, reduces the processing burden on the system within the M2M equipment to improve the performance of the M2M system processing business.

[0092] 在以上所述的实施例中，可以在终端或应用注册时分配加密密钥，也可以在触发终端或应用的更新时分配加密密钥，下面结合上述不同情况对本发明实施例作进一步详细描述。 [0092] In the above-described embodiment may be allocated when the registered terminal or application encryption keys can be allocated to update the encryption key at the terminal or application is triggered, in conjunction with the following case where the above-described various embodiments of the present invention will be further Detailed Description.

[0093] 具体实施例一 [0093] Specific embodiments of a

[0094] 在本实施例中，假设在签约开通M2M业务时，M2M终端1、2(如智能电表)均仅与M2M应用I (如供电公司抄表系统)绑定，并且M2M终端1、2与M2M应用I之间需要采用加密的通信方式，通信配置相关的数据存储在M2M业务运营商的签约数据库(如归属位置寄存器(HomeLocat1n Register,HLR))中。 [0094] In the present embodiment, it is assumed at the time of opening M2M service subscription, 1,2 (e.g., smart meter) are only M2M application I (such as a power company meter reading system) binding M2M terminal, the terminal 2 and the M2M M2M applications require between I and encrypted communication, the communication configuration stored in the relevant data carrier M2M service subscription database (e.g. a home location register (HomeLocat1n register, HLR)) in the.当M2M终端1、2首先注册到M2M业务平台，随后M2M应用I才注册到M2M业务平台时，如图6所示，M2M业务平台为M2M终端1、2和M2M应用I分发加密密钥的方法包括: When the terminal 1 is first registered with the M2M M2M service platform, and then I was registered with the M2M application M2M service platform, as shown in FIG. 6, the M2M service platform encryption key distribution method I for the M2M terminals 1, 2 and the M2M application include:

[0095] 201、M2M终端I向M2M业务平台发送注册请求消息，所述注册请求消息包含M2M终端I的标识Dl。 [0095] 201, M2M I terminal sends a registration request message to the M2M service platform, the registration request message includes the identification of the terminal I Dl M2M.

[0096] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0096] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0097] 202、M2M业务平台根据所述标识Dl对M2M终端I进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M终端I的签约绑定关系信息。 [0097] 202, M2M service platform according to the identifier of Dl I M2M terminal authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription binding relationship information of the M2M terminal I.

[0098] 203、M2M业务平台根据获取的绑定关系信息，判定M2M终端I仅与M2M应用I存在绑定关系，且尚未为M2M应用I分配加密密钥； [0098] 203, M2M service platform based on the binding relationship between the acquired information, and determines the M2M terminal M2M application only I I binding relationship, and has not been allocated for the I M2M application encryption key;

[0099] 204、M2M业务平台为M2M终端I和M2M应用I分配相同的加密密钥K1，并保存在本地或远程数据库中； [0099] 204, M2M M2M terminal service platform I and I M2M application assigned the same encryption key K1, and stored in a local or remote database;

[0101] 可选的，为保障加密密钥Kl的安全，M2M业务平台可以利用与M2M终端I之间预先共享的基础密钥对加密密钥Kl进行加密处理，然后，通过注册响应消息发送给M2M终端 [0101] Optionally, to protect the security of the encryption key Kl, M2M service platform may be utilized between the basic key pre-shared with the M2M terminal I of the encryption key Kl is encrypted and then sent through a registration response message to the M2M terminal

I。 I.或者，也可采用其它安全传输技术向M2M终端I发送加密密钥Kl。 Alternatively, other transmission technologies can also be used to send an encrypted key I Kl to the M2M terminal.

[0105] 208、M2M业务平台根据获取的绑定关系信息，判定M2M终端2仅与M2M应用I存在绑定关系，且已经为M2M应用I分配了加密密钥Kl。 [0105] 208, M2M service platform based on the binding relationship between the acquired information, determining the M2M terminal 2 and the M2M application only I binding relationship, and has been assigned to the M2M application I encryption key Kl.

[0107] 可选的，为保障加密密钥Kl的安全，Μ2Μ业务平台可以利用与Μ2Μ终端2之间预先共享的基础密钥对加密密钥Kl进行加密处理，然后，通过注册响应消息发送给Μ2Μ终端 [0107] Optionally, to protect the security of the encryption key Kl, the service platform may be utilized Μ2Μ base key between the terminal 2 and Μ2Μ pre-shared encryption key Kl is encrypted and then sent through a registration response message to the Μ2Μ terminal

2。 2.或者，也可采用其它安全传输技术向Μ2Μ终端2发送加密密钥Kl。 Alternatively, other transmission technologies can also be used to send an encrypted key Kl 2 to Μ2Μ terminal.

[0109] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0109] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0110] 211、]«21业务平台根据所述标识41对121应用I进行认证,认证通过后查询本地或远程的签约数据库，以获取Μ2Μ应用I的签约绑定关系信息； [0110] 211,] «service platform 21 according to the identification application 121 I 41 pairs for authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription application I Μ2Μ binding relationship information;

[0111] 212、Μ2Μ业务平台根据获取的绑定关系信息，判定Μ2Μ终端1、2仅与Μ2Μ应用I存在绑定关系，即存在仅与Μ2Μ应用绑定的Μ2Μ终端，且已经为Μ2Μ应用I和Μ2Μ终端1、2分配了加密密钥Kl ； [0111] 212, Μ2Μ service platform based on the binding relationship between the acquired information, determining Μ2Μ terminals 1, 2 and Μ2Μ only application I binding relationship, that there is only bound to the terminal Μ2Μ Μ2Μ application, and I have been applied as Μ2Μ Μ2Μ terminals 1, 2 and assigned encryption key Kl;

[0113] 可选的，为保障加密密钥Kl的安全，Μ2Μ业务平台可以利用与Μ2Μ应用I之间预先共享的基础密钥对加密密钥Kl进行加密处理，然后，通过注册响应消息发送给Μ2Μ应用 [0113] Optionally, to protect the security of the encryption key Kl, Μ2Μ service platform may be utilized between Μ2Μ basic key pre-shared with the application I encryption key Kl is encrypted, then sent through a registration response message to the Μ2Μ application

I。 I.或者，也可采用其它安全传输技术向Μ2Μ应用I发送加密密钥Kl。 Alternatively, other secure transmission technique may be used to transmit the encryption key Μ2Μ application I Kl.

[0114] 214、Μ2Μ终端1、2和Μ2Μ应用I利用由Μ2Μ业务平台分配的加密密钥Kl建立加密的单播或组播Μ2Μ业务通信。 [0114] 214, Μ2Μ terminals 1, 2 and Μ2Μ application I use the encryption key Kl Μ2Μ assigned by the service platform to establish an encrypted Μ2Μ unicast or multicast communication service.其中，Μ2Μ业务平台可直接透传Μ2Μ终端1、2和Μ2Μ应用I之间的加密业务消息，而无需在转发消息时执行解密和重新加密的操作。 Wherein, Μ2Μ service platform may be directly and transparently encrypted message traffic between the terminal 2 and Μ2Μ application Μ2Μ I, without performing a decryption and re-encryption operations when forwarding the message.

[0115] 可选地，如果国家安全机关或者监管机构需要对Μ2Μ终端1、2与Μ2Μ应用I之间的Μ2Μ业务通信进行合法监听，则Μ2Μ业务平台可以利用所保存的加密密钥Kl直接或指示其他网络实体对相应的Μ2Μ业务消息执行解密操作。 [0115] Alternatively, if the state security organs or the regulators need to Μ2Μ business communications between terminals 1, 2 and Μ2Μ application I Μ2Μ lawful interception, then Μ2Μ service platform can use the stored encryption key Kl directly or indicate other network entity performs a decryption operation for a corresponding Μ2Μ service message.

[0116] 具体实施例二 [0116] DETAILED second embodiment

[0117] 在本实施例中，假设在签约开通Μ2Μ业务时，Μ2Μ终端1、2(如智能电表)均仅与Μ2Μ应用I (如供电公司抄表系统)绑定，并且Μ2Μ终端1、2与Μ2Μ应用I之间需要采用加密的通信方式，通信配置相关的数据存储在Μ2Μ业务运营商的签约数据库中。 [0117] In the present embodiment, it is assumed at the time of service subscription opening Μ2Μ, Μ2Μ terminal 2 (e.g., smart meter) were applied only Μ2Μ I (such as a power company meter reading system) binding, and terminals 1, 2 Μ2Μ I Μ2Μ between applications that require an encrypted communication, data communication configuration stored in the associated service operator Μ2Μ subscription database.当Μ2Μ应用I首先注册到Μ2Μ业务平台，随后Μ2Μ终端1、2才注册到Μ2Μ业务平台时，如图7所示，Μ2Μ业务平台为Μ2Μ终端1、2和Μ2Μ应用I分发加密密钥的方法包括: When the application I Μ2Μ Μ2Μ first register to the service platform, then that register to terminals 1, 2 Μ2Μ Μ2Μ service platform, 7, Μ2Μ service platform encryption key distribution method I Μ2Μ application terminals 1, 2 and Μ2Μ include:

[0119] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息； [0119] Optionally, the registration request message may further contain information indicating a request for acquiring the encryption key;

[0120] 302、Μ2Μ业务平台根据所述标识Al对Μ2Μ应用I进行认证,认证通过后查询本地或远程的签约数据库，以获取Μ2Μ应用I的签约绑定关系信息； [0120] 302, Μ2Μ service platform according to the identification of Al I Μ2Μ application authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription binding relationship information of the application I Μ2Μ;

[0121] 303、Μ2Μ业务平台根据获取的绑定关系信息，判定Μ2Μ终端1、2仅与Μ2Μ应用I存在绑定关系，即存在仅与Μ2Μ应用I绑定的终端，且尚未为Μ2Μ应用I分配加密密钥； [0121] 303, Μ2Μ service platform based on the binding relationship between the acquired information, determining Μ2Μ terminals 1, 2 and I Μ2Μ applying only a binding relationship, i.e. the presence of only the I binding Μ2Μ application terminal, and Not I for the application Μ2Μ an encryption key allocation;

[0122] 304、Μ2Μ业务平台为Μ2Μ终端1、2和Μ2Μ应用I分配相同的加密密钥Kl，并保存在本地或远程数据库中； [0122] 304, Μ2Μ service platform Μ2Μ terminals 1, 2 and I Μ2Μ application assigned the same encryption key Kl, and stored in a local or remote database;

[0124] 可选的，为保障加密密钥Kl的安全，Μ2Μ业务平台可以利用与Μ2Μ应用I之间预先共享的基础密钥对加密密钥Kl进行加密处理，然后，通过注册响应消息发送给Μ2Μ应用I。 [0124] Optionally, to protect the security of the encryption key Kl, Μ2Μ service platform may be utilized between Μ2Μ basic key pre-shared with the application I encryption key Kl is encrypted, then sent through a registration response message to the Μ2Μ application I.或者，也可采用其它安全传输技术向Μ2Μ应用I发送加密密钥Kl。 Alternatively, other secure transmission technique may be used to transmit the encryption key Μ2Μ application I Kl.

[0125] 306、Μ2Μ终端I向Μ2Μ业务平台发送注册请求消息，所述注册请求消息包含Μ2Μ终端I的标识Dl。 [0125] 306, Μ2Μ I terminal sends a registration request message to the service platform Μ2Μ, the registration request message includes the identification of the terminal I Dl Μ2Μ.

[0126] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0126] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0127] 307、Μ2Μ业务平台根据所述标识Dl对Μ2Μ终端I进行认证,认证通过后查询本地或远程的签约数据库，以获取Μ2Μ终端I的签约绑定关系信息。 [0127] 307, Μ2Μ service platform according to the identification of Dl I Μ2Μ terminal authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription information of the binding relationship between the terminal I Μ2Μ.

[0128] 308、Μ2Μ业务平台根据获取的绑定关系信息，判定Μ2Μ终端I仅与Μ2Μ应用I存在绑定关系，且已经为Μ2Μ终端I分配了加密密钥Kl ； [0128] 308, Μ2Μ service platform based on the binding relationship between the acquired information, the terminal determines Μ2Μ only application I I and Μ2Μ binding relationship, and has been assigned to the terminal I Μ2Μ encryption key Kl;

[0130] 可选的，为保障加密密钥Kl的安全，Μ2Μ业务平台可以利用与Μ2Μ终端I之间预先共享的基础密钥对加密密钥Kl进行加密处理，然后，通过注册响应消息发送给Μ2Μ终端 [0130] Optionally, to protect the security of the encryption key Kl, Μ2Μ service platform may be utilized between the basic key pre-shared with the terminal I Μ2Μ the encrypted key Kl is encrypted and then sent through a registration response message to the Μ2Μ terminal

1。 1.或者，也可采用其它安全传输技术向Μ2Μ终端I发送加密密钥Kl。 Alternatively, other transmission technologies can also be used to send an encrypted key Kl to I Μ2Μ terminal.

[0132] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0132] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0133] 31UM2M业务平台根据所述标识D2对Μ2Μ终端2进行认证,认证通过后查询本地或远程的签约数据库，以获取Μ2Μ终端2的签约绑定关系信息。 [0133] 31UM2M Μ2Μ service platform authenticates the terminal 2 according to the identification D2, after the authentication by querying the local or remote subscription database to obtain the subscription binding relationship information terminal Μ2Μ 2.

[0134] 312、Μ2Μ业务平台根据获取的绑定关系信息，判定Μ2Μ终端2仅与Μ2Μ应用I存在绑定关系，且已经为Μ2Μ终端2分配了加密密钥Kl。 [0134] 312, Μ2Μ service platform based on the binding relationship between the acquired information, the terminal 2 determines Μ2Μ Μ2Μ applying only I and a binding relationship, and has been assigned to terminal 2 Μ2Μ encryption key Kl.

[0136] 可选的，为保障加密密钥Kl的安全，Μ2Μ业务平台可以利用与Μ2Μ终端2之间预先共享的基础密钥对加密密钥Kl进行加密处理，然后，通过注册响应消息发送给Μ2Μ终端 [0136] Optionally, to protect the security of the encryption key Kl, the service platform may be utilized Μ2Μ base key between the terminal 2 and Μ2Μ pre-shared encryption key Kl is encrypted and then sent through a registration response message to the Μ2Μ terminal

2。 2.或者，也可采用其它安全传输技术向Μ2Μ终端2发送加密密钥Kl。 Alternatively, other transmission technologies can also be used to send an encrypted key Kl 2 to Μ2Μ terminal.

[0137] 314、Μ2Μ终端1、2和Μ2Μ应用I利用由Μ2Μ业务平台分配的加密密钥Kl建立加密的单播或组播Μ2Μ业务通信。 [0137] 314, Μ2Μ terminals 1, 2 and Μ2Μ application I use the encryption key Kl Μ2Μ assigned by the service platform to establish an encrypted Μ2Μ unicast or multicast communication service.其中，Μ2Μ业务平台可直接透传Μ2Μ终端1、2和Μ2Μ应用I之间的加密业务消息，而无需在转发消息时执行解密和重新加密的操作。 Wherein, Μ2Μ service platform may be directly and transparently encrypted message traffic between the terminal 2 and Μ2Μ application Μ2Μ I, without performing a decryption and re-encryption operations when forwarding the message.

[0138] 可选地，如果国家安全机关或者监管机构需要对Μ2Μ终端1、2与Μ2Μ应用I之间的Μ2Μ业务通信进行合法监听，则Μ2Μ业务平台可以利用所保存的加密密钥Kl直接或指示其他网络实体对相应的Μ2Μ业务消息执行解密操作。 [0138] Alternatively, if the state security organs or the regulators need to Μ2Μ business communications between terminals 1, 2 and Μ2Μ application I Μ2Μ lawful interception, then Μ2Μ service platform can use the stored encryption key Kl directly or indicate other network entity performs a decryption operation for a corresponding Μ2Μ service message.

[0139] 具体实施例三 [0139] DETAILED Third Embodiment

[0140] 在本实施例中，假设在签约开通Μ2Μ业务时，Μ2Μ应用1、2 (如运输车队监控系统、车辆维修中心)仅与Μ2Μ终端I (如车辆故障传感器)绑定，并且Μ2Μ终端I与Μ2Μ应用1、2之间需要采用加密的通信方式，通信配置相关数据存储在Μ2Μ业务运营商的签约数据库中。 [0140] In the present embodiment, it is assumed at the time of service subscription opening Μ2Μ, 1,2 Μ2Μ applications (e.g., fleet monitoring system, a vehicle maintenance center) only Μ2Μ terminal I (such as a vehicle sensor failure) binding, and the terminal Μ2Μ It requires an encrypted communication application Μ2Μ between I and 2, the configuration data is stored in the communication service operator Μ2Μ subscription database.如图8所示，Μ2Μ业务平台为Μ2Μ终端I和Μ2Μ应用1、2分发加密密钥的方法包括: The method shown in FIG, Μ2Μ Μ2Μ terminal service platform, and I applied Μ2Μ 8 1,2 encryption key distribution comprising:

[0142] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0142] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0143] 402、M2M业务平台根据所述标识Al对M2M应用I进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M应用I的签约绑定关系信息； [0143] 402, M2M service platform according to the identifier of the M2M application I Al authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription M2M application I binding relationship information;

[0144] 403、M2M业务平台根据获取的绑定关系信息，判定仅与M2M应用I绑定的M2M终端不存在； [0144] 403, M2M service platform according to the binding relationship information acquired with the M2M application is determined only I bound M2M terminal does not exist;

[0147] 可选的，为保障加密密钥Kal的安全，M2M业务平台可以利用与M2M应用I之间预先共享的基础密钥对加密密钥Kal进行加密处理，然后，通过注册响应消息发送给M2M应用 [0147] Optionally, to protect the security of the encryption key Kal, M2M service platform may be utilized between the M2M application basic key pre-shared I and Kal encryption key is encrypted, then sent through a registration response message to the M2M applications

1。 1.或者，也可采用其它安全传输技术向M2M应用I发送加密密钥Kal。 Alternatively, other transmission technologies can also be used to transmit the encryption key M2M application I Kal.

[0149] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0149] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0150] 407、M2M业务平台根据所述标识A2对M2M应用2进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M应用2的签约绑定关系信息； [0150] 407, M2M service platform 2 according to the authentication of the M2M application identifier A2, after the authentication by querying the local or remote subscription database to obtain the subscription binding relationship information 2 M2M applications;

[0151] 408、M2M业务平台根据获取的绑定关系信息，判定仅与M2M应用2绑定的M2M终端不存在； [0151] 408, M2M service platform according to the binding relationship information acquired with the M2M application is determined only bound M2M terminal 2 does not exist;

[0154] 可选的，为保障加密密钥Ka2的安全，M2M业务平台可以利用与M2M应用2之间预先共享的基础密钥对加密密钥Ka2进行加密处理，然后，通过注册响应消息发送给M2M应用 [0154] Optionally, to protect the security of the encryption key Ka2, M2M service platform and may utilize a basic key pre-shared M2M application is between 2 to encrypt the encryption key Ka2, and then sent through a registration response message to the M2M applications

2。 2.或者，也可采用其它安全传输技术向M2M应用2发送加密密钥Ka2。 Alternatively, other secure transmission technique may also be applied to the second transmission encryption key Ka2 M2M.

[0155] 411、M2M终端I向M2M业务平台发送注册请求消息，所述注册请求消息包含M2M终端I的标识Dl。 [0155] 411, M2M I terminal sends a registration request message to the M2M service platform, the registration request message includes the identification of the terminal I Dl M2M.

[0156] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0156] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0157] 412、M2M业务平台根据所述标识Dl对M2M终端I进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M终端I的签约绑定关系信息； [0157] 412, M2M service platform according to the identifier of Dl I M2M terminal authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription binding relationship information M2M terminal I;

[0158] 413、M2M业务平台根据获取的绑定关系信息，判定M2M终端I与M2M应用1、2同时存在绑定关系； [0158] 413, M2M service platform based on the binding relationship between the acquired information, determining M2M terminal I binding relationship with the M2M application while 1,2;

[0159] 另外，若M2M业务平台判定M2M终端I未与任何M2M应用存在绑定关系，则仍然适用后续流程。 [0159] Further, when the M2M service platform determines that the M2M terminal I is not bound to any relationship with the M2M application is present, the subsequent procedure still applies.

[0162] 可选的，为保障加密密钥Kdl的安全，M2M业务平台可以利用与M2M终端I之间预先共享的基础密钥对加密密钥Kdl进行加密处理，然后，通过注册响应消息发送给M2M终端 [0162] Optionally, to protect the security of the encryption key Kdl, M2M service platform may be utilized between the basic key pre-shared with the M2M terminal I of Kdl encryption key is encrypted, then sent through a registration response message to the M2M terminal

I。 I.或者，也可采用其它安全传输技术向M2M终端I发送加密密钥Kdl。 Alternatively, other secure transmission technique may also be employed I Kdl encryption key transmitted to the M2M terminal.

[0163] 416、M2M终端I和M2M业务平台之间建立用加密密钥Kdl加密的M2M业务通信，而M2M应用1、2则分别采用加密密钥Kal、Ka2加密与M2M业务平台之间的M2M业务通信。 [0163] 416, with the establishment of the encryption key encrypted Kdl M2M service M2M communication between terminals I and M2M service platform, the M2M applications 1, 2 respectively between the M2M encryption key Kal, Ka2 encrypted with the M2M service platform business communications.M2M业务平台在转发M2M业务消息的过程中需要执行解密和重新加密的操作。 M2M service platform in the process of forwarding messages M2M business needs to perform decryption and re-encryption operations.

[0164] 可选地，如果国家安全机关或者监管机构需要对M2M终端I与M2M应用1、2之间的M2M业务通信进行合法监听，则M2M业务平台可以直接将转发M2M业务消息的过程中解密的内容发送给国家安全机关或者监管机构。 Process [0164] Alternatively, if the state security organs or the regulators need to M2M service communication between the M2M terminal and M2M applications 1, 2 I lawful interception, the M2M service platform may be forwarded directly to the M2M service message decryption content to the national security organ or the regulatory body.

[0165] 具体实施例四 [0165] DETAILED Fourth Embodiment

[0166] 在本实施例中，假设在签约开通M2M业务时，M2M终端I同时与M2M应用1、2绑定，而M2M终端2仅与M2M应用2绑定，并且M2M终端与M2M应用之间需要采用加密的通信方式，通信配置相关数据存储在M2M业务运营商的签约数据库中。 [0166] In the present embodiment, it is assumed at the time of opening M2M service subscription, while M2M terminals I 1 and the M2M application binding, M2M terminal 2 and the M2M application is only 2 binding, and between the terminal and the M2M application M2M It requires encrypted communication, data communication configuration stored in the M2M service operator's subscription database.如图9所示，M2M业务平台为M2M终端1、2和M2M应用1、2分发加密密钥的方法包括: 9, the method of the M2M service platform for the M2M terminals 1, 2, 2 and the M2M application distribution encryption key comprises:

[0168] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0168] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0169] 502、M2M业务平台根据所述标识Al对M2M应用I进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M应用I的签约绑定关系信息； [0169] 502, M2M service platform according to the identifier of the M2M application I Al authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription M2M application I binding relationship information;

[0170] 503、M2M业务平台根据获取的绑定关系信息，判定仅与M2M应用I绑定的M2M终端不存在； [0170] 503, M2M service platform according to the binding relationship information acquired with the M2M application is determined only I bound M2M terminal does not exist;

[0173] 可选的，为保障加密密钥Kal的安全，M2M业务平台可以利用与M2M应用I之间预先共享的基础密钥对加密密钥Kal进行加密处理，然后，通过注册响应消息发送给M2M应用 [0173] Optionally, to protect the security of the encryption key Kal, M2M service platform may be utilized between the M2M application basic key pre-shared I and Kal encryption key is encrypted, then sent through a registration response message to the M2M applications

I。 I.或者，也可采用其它安全传输技术向M2M应用I发送加密密钥Kal。 Alternatively, other transmission technologies can also be used to transmit the encryption key M2M application I Kal.

[0175] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0175] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0176] 507、M2M业务平台根据所述标识A2对M2M应用2进行认证，认证通过后查询本地或远程的签约数据库，以获取M2M应用2的签约绑定关系信息； [0176] 507, M2M service platform 2 according to the authentication of the M2M application identifier A2, after the authentication by querying the local or remote subscription database to obtain the subscription binding relationship information 2 M2M applications;

[0177] 508、M2M业务平台根据获取的绑定关系信息，判定M2M终端2仅与M2M应用2存在绑定关系，即存在仅与M2M应用2绑定的M2M终端，且尚未为M2M应用2和M2M终端2分配加密密钥； [0177] 508, M2M service platform based on the binding relationship between the acquired information, determining the M2M terminal 2 with only a binding relationship exists M2M application 2, i.e., there is only a M2M application terminal 2 and the M2M binding, and 2 and the M2M application is not yet M2M terminal 2 is assigned an encryption key;

[0178] 509、M2M业务平台为M2M终端2和M2M应用2分配相同的加密密钥Ka2，并保存在本地或远程数据库中； [0178] 509, M2M service platform 2 is a M2M terminal 2 and the M2M same encryption key distribution applications Ka2, and stored in a local or remote database;

[0180] 可选的，为保障加密密钥Ka2的安全，M2M业务平台可以利用与M2M应用2之间预先共享的基础密钥对加密密钥Ka2进行加密处理，然后，通过注册响应消息发送给M2M应用 [0180] Optionally, to protect the security of the encryption key Ka2, M2M service platform and may utilize a basic key pre-shared M2M application is between 2 to encrypt the encryption key Ka2, and then sent through a registration response message to the M2M applications

2。 2.或者，也可采用其它安全传输技术向M2M应用2发送加密密钥Ka2。 Alternatively, other secure transmission technique may also be applied to the second transmission encryption key Ka2 M2M.

[0181] 511、M2M终端I向M2M业务平台发送注册请求消息，所述注册请求消息包含M2M终端I的标识Dl。 [0181] 511, M2M I terminal sends a registration request message to the M2M service platform, the registration request message includes the identification of the terminal I Dl M2M.

[0182] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0182] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0183] 512、M2M业务平台根据所述标识Dl对M2M终端I进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M终端I的签约绑定关系信息； [0183] 512, M2M service platform according to the identifier of Dl I M2M terminal authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription binding relationship information M2M terminal I;

[0184] 513、M2M业务平台根据获取的绑定关系信息，判定M2M终端I与M2M应用1、2同时存在绑定关系； [0184] 513, M2M service platform based on the binding relationship between the acquired information, determining M2M terminal I binding relationship with the M2M application while 1,2;

[0187] 可选的，为保障加密密钥Kdl的安全，M2M业务平台可以利用与M2M终端I之间预先共享的基础密钥对加密密钥Kdl进行加密处理，然后，通过注册响应消息发送给M2M终端 [0187] Optionally, to protect the security of the encryption key Kdl, M2M service platform may be utilized between the basic key pre-shared with the M2M terminal I of Kdl encryption key is encrypted, then sent through a registration response message to the M2M terminal

1。 1.或者，也可采用其它安全传输技术向M2M终端I发送加密密钥Kdl。 Alternatively, other secure transmission technique may also be employed I Kdl encryption key transmitted to the M2M terminal.

[0188] 516、M2M终端I和M2M业务平台之间建立用加密密钥Kdl加密的M2M业务通信，而M2M应用1、2则分别采用加密密钥Kal、Ka2加密与M2M业务平台之间的M2M业务通信。 [0188] 516, with the establishment of the encryption key encrypted Kdl M2M service M2M communication between terminals I and M2M service platform, the M2M applications 1, 2 respectively between the M2M encryption key Kal, Ka2 encrypted with the M2M service platform business communications.M2M业务平台在转发M2M终端I与M2M应用1、2之间的M2M业务消息时需要执行解密和重新加密的操作。 M2M service platform when forwarding message traffic between the M2M M2M terminal I 1 and the M2M application needs to perform decryption and re-encryption operations.

[0190] 可选的，所述注册请求消息还可以包含请求获取加密密钥的指示信息。 [0190] Optionally, the registration request message may further comprise a request for instructions of the encryption key.

[0191] 518、M2M业务平台根据所述标识D2对M2M终端2进行认证,认证通过后查询本地或远程的签约数据库，以获取M2M终端2的签约绑定关系信息； [0191] 518, M2M service platform according to the M2M terminal identification D2 2 authentication, the authentication inquiry by the local or remote subscription database to obtain the subscription M2M terminal 2 binding relationship information;

[0192] 519、M2M业务平台根据获取的绑定关系信息，判定M2M终端2仅与M2M应用2存在绑定关系，且已经为M2M终端2分配了加密密钥Ka2 ； [0192] 519, M2M service platform based on the binding relationship between the acquired information, determining the M2M terminal 2 and the M2M application 2 only binding relationship, and the terminal 2 has been assigned for the M2M encryption key Ka2;

[0194] 可选的，为保障加密密钥Ka2的安全，M2M业务平台可以利用与M2M终端2之间预先共享的基础密钥对加密密钥Ka2进行加密处理，然后，通过注册响应消息发送给M2M终端 [0194] Optionally, to protect the security of the encryption key Ka2, M2M service platform may be utilized with the M2M basic key pre-shared between the terminal 2 to encrypt the encryption key Ka2, and then sent through a registration response message to the M2M terminal

2。 2.或者，也可采用其它安全传输技术向M2M终端2发送加密密钥Ka2。 Alternatively, other secure transmission technique may also be employed to 2 transmits the encrypted key Ka2 M2M terminal.

[0195] 521、M2M终端2和M2M业务平台之间建立用加密密钥Ka2加密的M2M业务通信，而M2M应用1、2则分别采用加密密钥Kal、Ka2加密与M2M业务平台之间的M2M业务通信。 [0195] 521, the establishment of the encrypted encryption key Ka2 M2M communication traffic between the terminal 2 and the M2M M2M service platform, the M2M applications 1, 2 respectively between the M2M Kal encryption key, encrypted with the M2M service platform Ka2 business communications.M2M业务平台在转发M2M终端2与M2M应用2之间的M2M业务消息时则可以直接透传，而不需要执行解密和重新加密的操作，以减轻处理负担，提高系统性能。 M2M service platform may be directly and transparently M2M service message when forwarded between the terminal 2 and the M2M M2M application, without performing a decryption and re-encryption operations to reduce the processing load, to improve system performance.

[0196] 在本实施例中描述的是M2M应用先注册的场景，若M2M终端先注册，则M2M业务平台首先为M2M终端2分配加密密钥Ka2，然后为M2M应用2分发相同的加密密钥Ka2，对于M2M应用I和M2M终端I仍然分别单独分发加密密钥Kal和Kdl。 [0196] In the present embodiment, is described to register the M2M application scenario, if the first registration M2M terminal, the M2M service platform 2 is first allocated for the M2M terminal encryption key Ka2, and then the M2M application is the same distribution encryption key 2 Ka2, for M2M applications and M2M terminal I I still individually distributing encryption keys and Kal Kdl.

[0197] 具体实施例五 [0197] Specific embodiments according to the fifth

[0198] 在具体实施例一或二完成之后，当需要更新M2M终端1、2和M2M应用I之间的通信加密密钥时(比如M2M终端检测到密钥有效期已结束)，如图10所示，M2M业务平台为M2M终端1、2和M2M应用I更新加密密钥的方法包括: [0198] In particular embodiments, after the completion of one or two, when it is necessary to update the encryption key M2M communication between the terminal 1 and the M2M application when I (such as the M2M terminal detects Keylife has ended), FIG. 10 shown, method M2M service platform for the M2M terminals 1, 2 and the M2M application I update the encryption key comprises:

[0199] 601、当M2M终端I发现加密密钥Kl即将过期时，向M2M业务平台发送密钥更新请求，所述密钥更新请求包含M2M终端I的标识Dl ； [0199] 601, I found that when the M2M terminal encryption key Kl is about to expire, transmits a key update request to the M2M service platform, the key update request includes the identification of the I Dl M2M terminal;

[0201] 603、M2M业务平台根据获取的绑定关系信息，判定M2M终端I仅与M2M应用I存在绑定关系，同时，还存在仅与M2M应用I绑定的M2M终端2，因此需要为M2M终端1、2和M2M应用I同时更新加密密钥； [0201] 603, M2M service platform based on the binding relationship between the acquired information, and determines the M2M terminal I I binding relationship M2M application only, while there is only a M2M application and I bound to the M2M terminal 2, it is necessary for the M2M terminals 1, 2 and the M2M application I also update the encryption key;

[0202] 604、M2M业务平台为M2M终端1、2和M2M应用I重新分配相同的新加密密钥K2，并保存在本地或远程数据库中； [0202] 604, M2M service platform for the M2M terminals 1, 2 and the M2M application I reassign the same new encryption key K2, and stored in a local or remote database;

[0204] 可选的，为保障加密密钥K2的安全，M2M业务平台可以利用与M2M终端I之间预先共享的基础密钥对加密密钥K2进行加密处理，然后，通过注册响应消息发送给M2M终端I。 [0204] Optionally, to protect the safety of the encryption key K2, M2M service platform may be utilized between the basic key pre-shared with the M2M terminal I of the encryption key K2 is encrypted and then sent through a registration response message to the M2M terminal I.或者，也可采用其它安全传输技术向M2M终端I发送加密密钥K2。 Alternatively, other secure transmission technique may also be employed I transmitted to the M2M terminal encryption key K2.

[0205] 606、M2M业务平台将更新后的新加密密钥K2主动地推送给M2M终端2和M2M应用I。 [0205] 606, M2M service platform will be updated after a new encryption key K2 actively pushes M2M terminal 2 and the M2M application I.

[0206] 举例而言，M2M业务平台可以采用短消息、OMA-PUSH等技术实现推送。 [0206] For example, M2M short message service platform can be employed, OMA-PUSH technology to realize a push.可选的，M2M业务平台可以利用与M2M终端2和M2M应用I之间预先共享的基础密钥或采用加密密钥Kl对加密密钥K2进行加密保护。 Alternatively, M2M service platform may be utilized between the base 2 and the M2M application M2M terminal I and pre-shared keys or key Kl encrypted encryption key K2 for encryption.或者，也可采用其它安全传输技术向M2M终端2和M2M应用I发送加密密钥K2。 Alternatively, other secure transmission technique may also be applied to the M2M terminal 2 and transmitting the I M2M encryption key K2.进一步可选的，M2M业务平台还可要求M2M终端2和M2M应用I返回密钥更新成功的确认消息。 Further, optionally, M2M M2M terminal service platform in claim 2 and further M2M application I return key update success acknowledgment message.

[0207] 607、M2M终端1、2和M2M应用I利用由M2M业务平台重新分配的新加密密钥K2加密的单播或组播M2M业务通信。 [0207] 607, M2M terminals 1, 2 and the M2M application I use M2M service platform by the new encryption key K2 redistribution unicast or multicast M2M service encrypted communication.其中，M2M业务平台可直接透传M2M终端1、2和M2M应用I之间的加密业务消息，而无需在转发消息时执行解密和重新加密的操作。 Wherein, M2M service platform may be directly and transparently encrypted message traffic between the terminal 2 and the M2M M2M application I, without performing a decryption and re-encryption operations when forwarding the message.

[0208] 可选地，如果国家安全机关或者监管机构需要对M2M终端1、2与M2M应用I之间的M2M业务通信进行合法监听，则M2M业务平台可以利用所保存的加密密钥K2直接或指示其他网络实体对相应的M2M业务消息执行解密操作。 [0208] Alternatively, if the state security organs or the regulators need to M2M service communication between the M2M terminals 1, 2 and the M2M application I lawful interception, the M2M service platform may use the stored encryption key K2 directly or indicate other network entity performs a decryption operation for a corresponding M2M service message.

[0209] 在本实施例中描述了M2M终端I发起的密钥更新流程，实际实施过程中还可以由M2M终端2、M2M应用I或M2M业务平台发起密钥更新流程，由具体方法类似，在此不再赘述。 [0209] In the present embodiment described the key update procedure initiated by the M2M terminal I, the practical implementation of the key update procedure may also be initiated by the M2M terminal 2, or I M2M application M2M service platform, a specific method is similar to the this will not be repeated.

[0210] 具体实施例六 [0210] DETAILED sixth embodiment

[0211] 在具体实施例一或二完成之后，签约数据库中又增加了M2M终端2与M2M应用2之间的绑定关系(即M2M终端2同时与M2M应用1、2绑定)，并且，M2M应用2根据与其它M2M终端的绑定关系分配了加密密钥Ka2。 [0211] In particular embodiments, after the completion of one or two, subscription database added 2 binding relationship between the terminal 2 and the M2M M2M applications (i.e. the M2M terminal 2 and the M2M application simultaneously bind 2), and, M2M application assigned encryption key Ka2 2 according to the binding relationship with other M2M terminals.如图11所示，M2M业务平台为M2M终端1、2和M2M应用I更新加密密钥的方法包括: As shown, M2M service platform for the M2M terminals 1, 2 and 11 M2M application method of updating an encryption key I comprises:

[0212] 701、当签约数据库中增加了M2M终端2与M2M应用2之间的绑定关系时，M2M业务平台获得相应的绑定关系变更通知； When the [0212] 701, when the subscription database increases M2M terminal 2 and the binding relationship between the M2M application 2, M2M service platform to obtain the corresponding binding relation of the change notification;

[0213] 702、M2M业务平台根据该绑定关系变更通知，确定变更后M2M终端2的绑定关系，通知M2M终端2下线后重新注册。 [0213] 702, M2M service platform change notification according to the binding relationship, determined to change the binding relationship between the M2M terminal 2 after informing the M2M terminal to re-register after two off the assembly line.

[0214] 703、M2M业务平台根据变更前的绑定关系，确定仅与M2M应用I绑定的终端中包括M2M终端2，因而确定需要为该M2M应用I更新密钥，因此获取M2M应用I的签约绑定关系信息； [0214] 703, M2M service platform according to the binding relationship before the change, and determine only terminal I M2M applications include binding M2M terminal 2, and thus determine the need for updating key M2M application I, thus obtaining a M2M application I subscription binding relationship information;

[0215] 704、M2M业务平台根据获取的绑定关系信息，判定仅与M2M应用I绑定的所有终端除M2M终端2外还有M2M终端1，因此需要为M2M终端I和M2M应用I同时更新加密密钥； [0215] 704, M2M service platform obtains the binding relationship information, the M2M application is determined according to only the I bind all terminals except the M2M terminal 2 there is an outer M2M terminal 1, and therefore need to be updated to M2M applications and M2M terminal I I an encryption key;

[0216] 705、M2M业务平台为M2M终端I和M2M应用I重新分配相同的新加密密钥K2，并保存在本地或远程数据库中； [0216] 705, M2M M2M terminal service platform and the M2M application I I reassign the same new encryption key K2, and stored in a local or remote database;

[0217] 706、M2M业务平台将更新后的新加密密钥K2主动地推送给M2M终端I和M2M应用I。 [0217] 706, M2M service platform will be updated after a new encryption key K2 actively pushes M2M applications and M2M terminal I I.

[0218] 举例而言，M2M业务平台可以采用短消息、OMA-PUSH等技术实现推送。 [0218] For example, M2M short message service platform can be employed, OMA-PUSH technology to realize a push.可选的，M2M业务平台可以利用与M2M终端I和M2M应用I之间预先共享的基础密钥或采用加密密钥Kl对加密密钥K2进行加密保护。 Alternatively, by using M2M service platform may M2M terminal base key between I and I and the M2M application or pre-shared key Kl encrypted encryption key K2 for encryption.或者，也可采用其它安全传输技术向M2M终端I和M2M应用I发送加密密钥K2。 Alternatively, other secure transmission technique may also be employed to the M2M applications and M2M terminal I I transmits the encrypted key K2.进一步可选的，M2M业务平台还可要求M2M终端I和M2M应用I返回密钥更新成功的确认消息。 Further, optionally, also require M2M M2M terminal service platform and the M2M application I I return key update success acknowledgment message.

[0219] 707、M2M终端I和M2M应用I利用由M2M业务平台重新分配的新加密密钥K2建立加密的单播或组播M2M业务通信。 [0219] 707, M2M terminal I and the M2M application I use the new encryption key from the M2M service platform reallocated K2 establish an encrypted unicast or multicast M2M service communication.

[0220] 708、M2M终端2重新注册到M2M业务平台，并按照具体实施例三所描述的方法获取单独的加密密钥Kd2 ； [0220] 708, M2M terminal 2 to re-register the M2M service platform, and to obtain separate encryption key Kd2 The method according to a third specific embodiment described;

[0221 ] 709、M2M终端2和M2M业务平台之间建立用加密密钥Kd2加密的M2M业务通信，而M2M应用1、2则分别采用加密密钥K2、Ka2加密与M2M业务平台之间的M2M业务通信。 [0221] 709, the establishment of the encrypted encryption key Kd2 M2M communication traffic between the terminal 2 and the M2M M2M service platform, the M2M applications 1, 2 respectively between the M2M encryption key K2, Ka2 encrypted with the M2M service platform business communications.M2M业务平台在转发M2M终端2的M2M业务消息的过程中需要执行解密和重新加密的操作。 M2M service platform in the process of forwarding the service messages M2M M2M terminal 2 need to perform decryption and re-encryption operations.

[0222] 在本实施例中描述了由于M2M终端2的签约绑定关系发生变化所引起的密钥更新流程，实际实施过程中，还可能是由于M2M终端1、M2M应用I的签约绑定关系发生变化而引起的密钥更新。 [0222] Since the described key update procedure changes subscription binding relationship caused M2M terminal 2 in the present embodiment, the actual implementation process, but also may be due to 1, M2M application subscription binding relationship M2M terminals I key changes caused by the update.总的来说，若M2M终端(或M2M应用)在变更签约绑定关系之前与相关M2M应用(或M2M终端)之间存在单一绑定关系，则变更绑定关系之后，M2M业务平台需要为所述M2M应用(或M2M终端)更新加密密钥；而所述M2M终端(或M2M应用)则需要重新注册到M2M业务平台，并根据更新后的签约绑定关系重新获取加密密钥。 In general, if the M2M terminal (or M2M applications) related to the presence of a single binding relationship between M2M applications (or M2M terminal) and the subscription binding relationship before the change, the change after binding relationship, as required by M2M service platform said M2M application (or M2M terminal) updates the encryption key; and the M2M terminal (or M2M applications) need to re-register with the M2M service platform, and obtain an encryption key from the updated subscription binding relationship.若M2M终端(或M2M应用)在变更签约绑定关系之前与相关M2M应用(或M2M终端)之间不存在单一绑定关系，则变更绑定关系之后，M2M业务平台不需要为所述M2M应用(或M2M终端)更新加密密钥；而所述M2M终端(或M2M应用)仍然需要重新注册到M2M业务平台，并根据更新后的签约绑定关系重新获取加密密钥。 If after M2M terminal (or M2M application) correlation between M2M application (or M2M terminal) binding relationship with no single subscription binding relationship before the change, the change binding relationship, M2M service platform need not be the M2M application (or M2M terminal) update the encryption key; and the M2M terminal (or M2M applications) still need to re-register with the M2M service platform, and retrieve cryptographic keys according to the subscription binding relationship after the update.

[0223] 本发明实施例提供的加密通信方法，通过为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥，为与多个应用绑定或未与任何应用绑定的终端单独分配加密密钥，在确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥，并在所述终端与所述第一应用使用所分配的相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的经过相同加密密钥加密的信息。 [0223] The encrypted communication method according to an embodiment of the present invention, the terminal only bound to the first application and the same encryption key allocated to the first application, the application is bound or tied with a plurality of any application given terminal separately allocated an encryption key, only when it is determined to bind the first terminal does not exist, an encryption key assigned to the first application alone, and the terminal assigned to the first application using when the same encryption key to communicate transparently transmit information over the same encryption key between the terminal and the interaction of the first application.因此，能够减少业务平台在转发信息过程中解密和重新加密的处理，减轻了业务平台的处理负担。 Therefore, it is possible to reduce the processing business platform decryption and re-encryption process of forwarding the information to reduce the processing load of the service platform.并且，终端也只需要使用单一的加密密钥在发送和接收业务消息时进行加密或解密处理。 Further, the terminal requires only a single encryption key at the transmitting and receiving service message or decryption process.减轻了处理能力和电源都比较有限的终端的处理负担。 Reducing the processing power and the power are relatively limited processing load of the terminal.从而，能够在保证数据安全的前提下，减轻了M2M系统内设备的处理负担，提高了M2M系统处理业务的性能。 This makes it possible to ensure data security in the premise, reduces the processing burden on the system within the M2M equipment to improve the performance of the M2M system processing business.

[0225] 密钥分配单元801，用于为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥； [0225] Key assignment unit 801, and the terminal for the same encryption key allocated the first application is only bound to the first application;

[0226] 密钥存储单元802，用于存储所述密钥分配单元801为所述终端或所述第一应用分配的加密密钥； [0226] key storage unit 802 for storing the key distribution for the terminal unit 801 or the encryption key assigned to the first application;

[0227] 加密通信单元803，用于在根据所述密钥存储单元802存储的加密密钥确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息。 [0227] encryption communication unit 803, configured to, when the first terminal and the applications use the same encryption key for communication, the terminal transparently transmits the encryption key stored in the key storage unit 802 is determined according to the interaction between the first application information.

[0228] 进一步地，所述密钥分配单元801，还用于为与多个应用绑定或未与任何应用绑定的终端单独分配加密密钥；在确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥。 [0228] Furthermore, the key distribution unit 801 is further configured with the plurality of encryption keys assigned to bind or separate bound to any terminal application; the terminal determines the first application is only bound absence, the first application is assigned a separate encryption key.

[0230] 请求接收子单元，用于接收由终端发送的注册请求或密钥获取请求； [0230] request receiving sub-unit, for receiving a registration request transmitted by the terminal or a key acquisition request;

[0231] 绑定获取子单元，用于根据所述请求接收子单元接收的注册请求或密钥获取请求，获取所述终端的绑定关系； [0231] obtaining subunit binding, according to the request receiving sub-unit receives the registration request or a key obtaining request to obtain the binding relationship of the terminal;

[0232] 密钥分配子单元，用于在根据所述绑定获取子单元获取的绑定关系，确定所述终端仅与第一应用绑定时，为所述终端分配与所述第一应用相同的加密密钥；或者，在根据所述绑定获取子单元获取的绑定关系，确定所述终端与多个应用绑定或未与任何应用绑定时，为所述终端单独分配加密密钥。 [0232] key distribution sub-unit, configured to, when the binding The binding relationship obtaining subunit acquired, determining the first application is only bound to the terminal, the terminal is assigned to the first application same encryption key; or, when according to the binding relationship obtaining subunit binding acquired, determining a plurality of terminals with a bound or unbound application and any application, said terminal is assigned a separate encryption key.

[0234] 标识获取模块，用于从所述终端发送的注册请求或密钥获取请求中获取所述终端的标识； [0234] identifier obtaining module, configured to send a registration request from the terminal or the key obtaining request to obtain an identifier of the terminal;

[0241] 密钥获取模块，用于在根据所述终端的绑定关系确定所述终端仅与第一应用绑定，且已为所述第一应用分配加密密钥时，获取为所述第一应用分配的加密密钥； [0241] key obtaining module, configured to, when determining that the terminal according to the binding relationship of the terminal is only to bind the first, and has been assigned the key to encrypt the first application, the first to obtain an encryption key allocated to an application;

[0242] 密钥生成模块，用于在根据所述终端的绑定关系确定所述终端仅与第一应用绑定，且未为所述第一应用分配加密密钥时，生成所述终端对应的加密密钥；或者，在根据所述终端的绑定关系确定所述终端与多个应用绑定或未与任何应用绑定时，生成所述终端对应的加密密钥； [0242] The key generation module, configured to, when determining that the terminal according to the binding relationship of the terminal is only to bind the first, and not the first application assigned to the key encryption to generate corresponding to the terminal encryption key; or, when the plurality of terminal applications and any application bound or unbound binding is determined according to the relationship of the terminal, generating the encryption key corresponding to the terminal;

[0245] 请求接收子单元，用于接收由第一应用发送的注册请求或密钥获取请求； [0245] request receiving sub-unit, configured to obtain a registration request or a request is received by the first application key transmitted;

[0246] 绑定获取子单元，用于根据所述请求接收子单元接收的注册请求或密钥获取请求，获取所述第一应用的绑定关系； [0246] obtaining subunit binding, according to the request receiving sub-unit receives the registration request or a key obtaining request to obtain the binding relationship of the first application;

[0247] 密钥分配子单元，用于在根据所述绑定获取子单元获取的绑定关系，确定仅与所述第一应用绑定的终端存在时，为所述第一应用分配与所述仅与所述第一应用绑定的终端相同的加密密钥；或者，在根据所述绑定获取子单元获取的绑定关系，确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥。 [0247] When the key distribution sub-unit, configured according to the binding relationship obtaining subunit binding acquired, determining the presence of only the first application of the binding terminal, assigning the first application to the only said first terminal to bind to the same encryption key; or when, according to the binding in a binding relationship obtaining subunit acquired is determined to bind only to the first terminal does not exist, as dispensing the first application encryption key separately.

[0249] 标识获取模块，用于从所述第一应用发送的注册请求或密钥获取请求中获取所述第一应用的标识； [0249] identifier obtaining module, configured to obtain the identification of the first application acquisition request or the registration request from the key sent by the first application;

[0250] 信息获取模块，用于根据所述标识获取模块获取的标识获取所述第一应用的签约配置信息； [0250] information obtaining module, for the subscription identifier acquiring the configuration information obtained by the obtaining identification module according to the first application;

[0251] 绑定获取模块，用于根据所述信息获取模块获取的签约配置信息，获取所述第一应用的绑定关系。 [0251] Binding obtaining module, configured to obtain subscription module configuration information based on the acquired information, acquiring the binding relationship of the first application.

[0253] 指示获取模块，用于从所述第一应用发送的注册请求或密钥获取请求中获取指示信息； [0253] instruction obtaining means for obtaining indication information acquisition request from the registration request sent by the first application or the key;

[0254] 绑定获取模块，用于根据所述指示获取模块获取的指示信息获取所述第一应用的绑定关系。 [0254] Binding acquiring module, for acquiring the indication information obtaining module obtaining binding relationship according to the indication of the first application.

[0256] 密钥获取模块，用于在根据所述第一应用的绑定关系确定仅与所述第一应用绑定的终端存在，且已为所述仅与所述第一应用绑定的终端分配加密密钥时，获取为所述仅与所述第一应用绑定的终端分配的加密密钥； [0256] key acquisition module for determining a first application according to the binding relationship exists only to bind to the first terminal, and is bound only with the first application to the when the terminal is assigned an encryption key, the encryption key is acquired only allocated to the first terminal of the bound application;

[0257] 密钥生成模块，用于在根据所述第一应用的绑定关系确定仅与第一应用绑定的终端存在，且未为所述仅与所述第一应用绑定的终端分配加密密钥时，生成所述第一应用对应的加密密钥；或者，在根据所述第一应用的绑定关系确定仅与第一应用绑定的终端不存在时，生成所述第一应用对应的加密密钥； [0257] The key generation module, according to the bindings for use in determining the presence of only the first application and the first terminal to bind to, and not only the binding of the first application is assigned to the terminal encryption key generating the first encryption key corresponding to the application; or, only when the terminal is determined to bind the first absent binding relationship according to the first application, the first application generating corresponding to the encryption key;

[0258] 密钥发送模块，用于向所述第一应用发送所述密钥获取模块获取的加密密钥，或所述密钥生成模块生成的加密密钥。 [0258] The key transmission means for transmitting the first application to the key acquisition module acquires the encryption key or the key generation module generates the encryption key.

[0261] 更新绑定获取子单元，用于在所述更新触发判定子单元判定执行所述第一终端的更新时，获取所述第一终端的绑定关系； [0261] updating binding obtaining subunit, configured to trigger the updating subunit determines that the first terminal performs update determination obtain the binding relationship of the first terminal;

[0262] 更新密钥生成子单元，用于在根据所述更新绑定获取子单元获取的绑定关系确定所述第一终端仅与第一应用绑定时，确定仅与所述第一应用绑定的终端，生成确定的终端和所述第一应用对应的加密密钥；或者，在根据所述更新绑定获取子单元获取的绑定关系确定所述第一终端与多个应用绑定或未与任何应用绑定时，生成所述第一终端对应的加密密钥； [0262] updating key generation sub-unit, for determining when the first terminal is only bound to the first application according to the updated binding obtaining subunit acquires binding relationship, and determine the first application only bound to the terminal, and generates a determination of the first application corresponding to the terminal encryption key; or, in determining the first terminal and a plurality of applications according to the binding update binding obtaining subunit binding relationship acquires when bound to any application or to generate an encryption key corresponding to the first terminal;

[0263] 更新密钥发送子单元，用于向所述第一应用以及仅与所述第一应用绑定的终端发送所述更新密钥生成子单元生成的加密密钥；或者，向所述第一终端发送所述更新密钥生成子单元生成的加密密钥。 [0263] updating key sending subunit, configured to send the first application and the terminal only bound to the first application to update the encryption key generated by the key generation subunit; or to the a first terminal sending the update key to generate an encryption key generation subunit.

[0265] 更新触发判定子单元，用于在接收第一应用的密钥更新请求或触发第一应用的更新设定规则时，判定执行所述第一应用对应的更新； [0265] Update trigger determination sub-unit, configured to, when the trigger or key update request to update the rule set receiving a first application of the first application, executing a first application is determined corresponding to the update;

[0266] 更新绑定获取子单元，用于在所述更新触发判定子单元判定执行所述第一应用的更新时，获取所述第一应用的绑定关系 [0266] updating binding obtaining subunit, for determining when the trigger updating sub-unit determines that performs updating of the first application, the binding relationship obtaining first application

[0267] 更新密钥生成子单元，用于或者，在根据所述更新绑定获取子单元获取的绑定关系确定仅与所述第一应用绑定的终端存在时，生成所述第一应用以及所述仅与所述第一应用绑定的终端对应的加密密钥；或者，在根据所述更新绑定获取子单元获取的绑定关系确定仅与所述第一应用绑定的终端不存在时，生成所述第一应用对应的加密密钥； [0267] When updating key generation subunit, or for, the binding relationship according to the updated binding obtaining sub-unit determines that there is only obtained to bind to the first terminal, generating the first application and only the encryption key of the first terminal corresponding to bind; or not is determined only bound to the first application based on the binding relationship binding update acquisition sub-unit acquires terminal when present, a first application corresponding to the encryption key generation;

[0268] 更新密钥发送子单元，用于向所述第一应用以及仅与所述第一应用绑定的终端发送所述更新密钥生成子单元生成的加密密钥；或者，向所述第一应用发送所述更新密钥生成子单元生成的加密密钥。 [0268] updating key sending subunit, configured to send the first application and the terminal only bound to the first application to update the encryption key generated by the key generation subunit; or to the the first application sends the update key to generate an encryption key generation subunit.

[0269] 本发明实施例提供的加密通信装置，通过为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥，并在所述终端与所述第一应用使用所分配的相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的经过相同加密密钥加密的信息。 [0269] encryption communication apparatus according to an embodiment of the present invention, only the same terminal as the first application and assigned to bind the first encryption key, and the terminal and in the first application using the when the same encryption key allocated to communicate transparently transmit information over the same encryption key between the terminal and the interaction of the first application.因此，能够减少业务平台在转发信息过程中解密和重新加密的处理，减轻了业务平台的处理负担。 Therefore, it is possible to reduce the processing business platform decryption and re-encryption process of forwarding the information to reduce the processing load of the service platform.并且，终端也只需要使用单一的加密密钥在发送和接收业务消息时进行加密或解密处理。 Further, the terminal requires only a single encryption key at the transmitting and receiving service message or decryption process.减轻了处理能力和电源都比较有限的终端的处理负担。 Reducing the processing power and the power are relatively limited processing load of the terminal.从而，能够在保证数据安全的前提下，减轻了M2M系统内设备的处理负担，提高了M2M系统处理业务的性能。 This makes it possible to ensure data security in the premise, reduces the processing burden on the system within the M2M equipment to improve the performance of the M2M system processing business.

[0270] 与上述方法、装置相对应地，本发明实施例还提供了一种加密通信系统，如图13所示，包括终端901和业务平台902和第一应用903 ； [0270] and the above-described methods, apparatus Correspondingly, embodiments of the present invention further provides an encryption communication system 13 includes a terminal 901 and a first application service platform 902 and 903;

[0271] 所述业务平台902，用于为仅与所述第一应用绑定的终端901和所述第一应用903分配相同的加密密钥；在确定所述终端901与所述第一应用903使用相同的加密密钥进行通信时，透传所述终端901与所述第一应用903之间交互的信息； [0271] The service platform 902, and 901 for allocating the same first encryption key to the terminal application 903 only bound to the first application; determining that the terminal 901 and the first application when using the same encryption key 903 communicates transparently transmit information exchanged between the terminals 901 and 903 of the first application;

[0272] 所述终端901，用于获取所述业务平台902分配的加密密钥，并根据获取的加密密钥对与所述第一应用903之间交互的信息进行加密或解密； [0272] The terminal 901, configured to obtain the encryption key allocated to the service platform 902, and the information interaction between the first application 903 and the encryption or decryption in accordance with the acquired encryption key;

[0273] 所述第一应用903，用于获取所述业务平台902分配的加密密钥，并根据获取的加密密钥对与所述终端901之间交互的信息进行加密或解密。 [0273] the first application 903, configured to obtain the encryption key distribution service platform 902, and the acquired encryption key and the interaction between the information terminal 901 according to the encryption or decryption.

[0274] 本发明实施例提供的加密通信系统，通过为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥，并在所述终端与所述第一应用使用所分配的相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的经过相同加密密钥加密的信息。 [0274] encrypted communication system according to an embodiment of the present invention, only the same terminal as the first application and assigned to bind the first encryption key, and the terminal and in the first application using the when the same encryption key allocated to communicate transparently transmit information over the same encryption key between the terminal and the interaction of the first application.因此，能够减少业务平台在转发信息过程中解密和重新加密的处理，减轻了业务平台的处理负担。 Therefore, it is possible to reduce the processing business platform decryption and re-encryption process of forwarding the information to reduce the processing load of the service platform.并且，终端也只需要使用单一的加密密钥在发送和接收业务消息时进行加密或解密处理。 Further, the terminal requires only a single encryption key at the transmitting and receiving service message or decryption process.减轻了处理能力和电源都比较有限的终端的处理负担。 Reducing the processing power and the power are relatively limited processing load of the terminal.从而，能够在保证数据安全的前提下，减轻了M2M系统内设备的处理负担，提高了M2M系统处理业务的性能。 This makes it possible to ensure data security in the premise, reduces the processing burden on the system within the M2M equipment to improve the performance of the M2M system processing business.

[0275] 本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程，是可以通过计算机程序来指令相关的硬件来完成，所述的程序可存储于一计算机可读取存储介质中，该程序在执行时，可包括如上述各方法的实施例的流程。 [0275] Those of ordinary skill in the art may understand that the above-described method embodiments all or part of the processes may be related hardware instructed by a computer program, the program may be stored in a computer readable storage medium. when the program is executed, the processes of the foregoing method embodiments.其中，所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory, ROM)或随机存储记忆体(RandomAccessMemory, RAM)等。 Wherein the storage medium may be a magnetic disk, an optical disk, read-only memory (Read-Only Memory, ROM), or random access memory peer (RandomAccessMemory, RAM).

[0276] 以上所述，仅为本发明的具体实施方式，但本发明的保护范围并不局限于此，任何熟悉本技术领域的技术人员在本发明揭露的技术范围内，可轻易想到变化或替换，都应涵盖在本发明的保护范围之内。 [0276] The above are only specific embodiments of the present invention, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the technical scope of the present invention is disclosed, variations may readily occur or Alternatively, it shall fall within the protection scope of the present invention.因此，本发明的保护范围应所述以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be in the scope of the claims and their equivalents.

Claims (29)

Translated from Chinese

1.一种加密通信方法，其特征在于，应用于机器通信121系统中，包括: 业务平台为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥；所述仅与第一应用绑定的终端为仅与所述第一应用通信且不与除所述第一应用外的其他应用通信的终端； 所述业务平台在确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息。 An encrypted communication method, characterized in that, applied to machine communication system 121, comprising: a terminal service platform is only bound to the first application and the same encryption key allocated the first application; the only to bind with the first terminal is in communication with only the first application and not with other inter-application communication terminal outside of the first application; the service platform in the terminal and determining the first application using when the same encryption key to communicate transparently transmit information exchanged between the terminal and the first application.

2.根据权利要求1所述的加密通信方法，其特征在于，所述方法还包括: 接收由终端发送的注册请求或密钥获取请求； 在根据所述注册请求或密钥获取请求，获取所述终端的绑定关系。 The encryption communication method according to claim 1, wherein said method further comprises: receiving a registration request or the key obtaining request transmitted by the terminal; acquiring request according to the registration request or the key, acquires the said terminal binding relationship.

3.根据权利要求2所述的加密通信方法，其特征在于，所述根据所述注册请求或密钥获取请求，获取所述终端的绑定关系包括: 从所述注册请求或密钥获取请求中获取所述终端的标识，根据所述终端的标识获取所述终端的签约配置信息，根据所述终端的签约配置信息获取所述终端的绑定关系；或者， 从所述注册请求或密钥获取请求中获取指示信息，根据所述指示信息获取所述终端的绑定关系。 The encryption communication method according to claim 2, wherein said obtaining request according to the registration request or the key, the binding relationship obtaining terminal comprising: an acquisition request or the registration request from the key obtaining the identifier of the terminal, obtain the subscription information of the terminal configuration of the terminal according to the identifier, obtain the binding relationship of the terminal according to the subscription information of the terminal configuration; or a registration request from the key or obtaining indication information acquisition request, acquires the terminal binding relationship according to the indication information.

4.根据权利要求2所述的加密通信方法，其特征在于，所述为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥包括: 在根据所述终端的绑定关系确定所述终端仅与第一应用绑定时，为所述终端分配与所述第一应用相同的加密密钥。 The encryption communication method according to claim 2, wherein said binding is only applied to the first terminal and the first application assigned the same encryption key comprises: tied in the terminal according to determining the timing relationship between the first application is only bound to the terminal, the terminal is assigned is the same as the first application of the encryption key.

5.根据权利要求4所述的加密通信方法，其特征在于，所述为所述终端分配与所述第一应用相同的加密密钥包括: 在确定已为所述第一应用分配加密密钥时，获取为所述第一应用分配的加密密钥； 在确定未为所述第一应用分配加密密钥时，生成加密密钥，并保存所述生成的加密密钥； 向所述终端发送所述加密密钥。 The encryption communication method according to claim 4, wherein said dispensing terminal is the same with the first application of the encryption key comprises: determining that the first application has been assigned for the encryption key when obtaining an encryption key allocated to the first application; in determining the key for the first application is not assigned encryption, the encryption key, and stores the generated encryption key; transmitting to the terminal the encryption key.

6.根据权利要求1所述的加密通信方法，其特征在于，所述方法还包括: 接收由第一应用发送的注册请求或密钥获取请求； 根据所述注册请求或密钥获取请求，获取所述第一应用的绑定关系。 The encryption communication method according to claim 1, wherein said method further comprises: receiving a registration request or a request for obtaining a first key sent by the application; acquisition request according to the registration request or the key, acquires the binding relationship of the first application.

7.根据权利要求6所述的加密通信方法，其特征在于，所述根据所述注册请求或密钥获取请求，获取所述第一应用的绑定关系包括: 从所述注册请求或密钥获取请求中获取所述第一应用的标识，根据所述第一应用的标识获取所述第一应用的签约配置信息，根据所述第一应用的签约配置信息获取所述第一应用的绑定关系；或者， 从所述注册请求或密钥获取请求中获取指示信息，根据所述指示信息获取所述第一应用的绑定关系。 The encryption communication method according to claim 6, wherein said obtaining request according to the registration request or the key, the binding relationship obtaining a first application comprising: a registration request from the key or obtaining request obtains the identifier of the first application, configured to obtain the subscription information of the first application according to the identifier of the first application, the first application acquires binding according to subscription information of the first application configuration relationship; or obtained from the registration request or the key obtaining request indication information, acquiring the binding relationship of the first application according to the indication information.

8.根据权利要求6所述的加密通信方法，其特征在于，所述为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥包括: 在根据所述第一应用的绑定关系确定仅与所述第一应用绑定的终端存在时，为所述第一应用分配与所述仅与所述第一应用绑定的终端相同的加密密钥。 The encryption communication method according to claim 6, wherein said binding is only applied to the first terminal and the first application assigned the same encryption key comprises: in accordance with the first application determining when there is only a binding relationship with the first terminal application bound to the first application to the dispensing of only the first application bound to the same terminal encryption key.

9.根据权利要求8所述的加密通信方法，其特征在于，所述为所述第一应用分配与所述仅与所述第一应用绑定的终端相同的加密密钥包括: 在确定已为所述仅与所述第一应用绑定的终端分配加密密钥时，获取为所述仅与所述第一应用绑定的终端分配的加密密钥； 在确定未为所述仅与所述第一应用绑定的终端分配加密密钥时，生成加密密钥，并保存所述生成的加密密钥； 向所述第一应用发送所述加密密钥。 9. The method of cryptographic communication according to claim 8, characterized in that, the terminal encryption key identical with the first application to the dispensing only bound to the first application comprises: determining been the first is when the terminal is assigned only to bind the encryption key to acquire the encryption key only bound to the first application assigned to the terminal; is determined not only by the when an encryption key assigned to bind said first terminal, and generating an encryption key, and stores the generated encryption key; the first application sends the encryption key.

10.根据权利要求1所述的加密通信方法，其特征在于，所述方法还包括: 为与多个应用绑定或未与任何应用绑定的终端单独分配加密密钥； 在确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥。 10. The method of encrypted communication according to claim 1, wherein said method further comprises: a plurality of applications is bound or unbound to any application terminal is assigned a separate encryption key; only the first determination when a terminal is not present to bind, the first application is assigned a separate encryption key.

11.根据权利要求2或10所述的加密通信方法，其特征在于，所述为与多个应用绑定或未与任何应用绑定的终端单独分配加密密钥包括: 在根据终端的绑定关系确定所述终端与多个应用绑定或未与任何应用绑定时，为所述终端单独分配加密密钥。 2 or 11. The method of cryptographic communication according to claim 10, wherein said plurality is allocated individually to bind or to bind any terminal with the encryption key comprises: a terminal in accordance with binding when determining the relationship of the plurality of terminals with a bound or unbound application and any application, the terminal is assigned to an encryption key separately.

12.根据权利要求6或10所述的加密通信方法，其特征在于，所述在确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥包括: 在根据第一应用的绑定关系确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥。 6 or 12. The encrypted communication method according to claim 10, wherein, when said determining only bound to the first application terminal does not exist, the first application is assigned a separate encryption key comprises: only the first terminal is determined to bind the binding relationship does not exist according to a first application, the first application is assigned a separate encryption key.

13.根据权利要求1所述的加密通信方法，其特征在于，所述方法还包括: 在接收第一终端的密钥更新请求或触发第一终端的更新设定规则时，获取所述第一终端的绑定关系； 在根据所述第一终端的绑定关系确定所述第一终端仅与第一应用绑定时，确定仅与所述第一应用绑定的终端，生成加密密钥，并向所述第一应用以及仅与所述第一应用绑定的终端发送生成的加密密钥； 在根据所述第一终端的绑定关系确定所述第一终端与多个应用绑定或未与任何应用绑定时，生成加密密钥，并向所述第一终端发送生成的加密密钥。 13. The method of encrypted communication according to claim 1, characterized in that, said method further comprising: upon receiving a first key update request or trigger terminal of the first terminal setting rule update, acquires the first binding relationship of the terminal; the first terminal when the first application is only bound to the binding relationship is determined in accordance with the first terminal, the first terminal and the determined only to bind to generate an encryption key, and the first application, and transmitting the generated encryption key only to bind to the first terminal; the first terminal and is determined to bind the plurality of the first terminal according to the binding relation or when not bound to any application, generating an encryption key, and transmits the generated encryption key to the first terminal.

14.根据权利要求13所述的加密通信方法，其特征在于，所述在接收第一终端的密钥更新请求或触发第一终端的更新设定规则时，获取所述第一终端的绑定关系包括: 从所述密钥更新请求中获取所述第一终端的标识，根据所述第一终端的标识获取所述第一终端的签约配置信息，根据所述第一终端的签约配置信息获取所述第一终端的绑定关系；或者， 从所述密钥更新请求中获取指示信息，根据所述指示信息获取所述第一终端的绑定关系；或者， 在确定触发第一终端的更新设定规则时，获取所述第一终端的签约配置信息，根据所述第一终端的签约配置信息获取所述第一终端的绑定关系。 14. A cryptographic communication method according to claim 13, wherein said key update request received at the first terminal or setting rule triggers an update of the first terminal, the first terminal obtaining binding relationship comprises: obtaining the identification of the first terminal from the key update request, obtain the subscription information of the configuration of the first terminal according to the identifier of the first terminal, acquiring configuration information according to the subscription of the first terminal a first terminal of the binding relationship; or acquiring indication information from the key update request, obtain the binding relationship of the first terminal according to the indication information; alternatively, determining a first terminal of the trigger update setting rules, obtaining the configuration information of the first terminal subscription, subscription configuration information of the first terminal according to the binding relationship obtaining the first terminal.

15.根据权利要求1所述的加密通信方法，其特征在于，所述方法还包括: 在接收第一应用的密钥更新请求或触发第一应用的更新设定规则时，获取所述第一应用的绑定关系； 在根据所述第一应用的绑定关系确定仅与所述第一应用绑定的终端存在时，生成加密密钥，并向所述第一应用以及所述仅与所述第一应用绑定的终端发送生成的加密密钥；在根据所述第一应用的绑定关系确定仅与所述第一应用绑定的终端不存在时，生成加密密钥，并向所述第一应用发送生成的加密密钥。 15. A cryptographic communication method according to claim 1, wherein said method further comprises: when the trigger or key update request to update the first application of the rules set receiving a first application, the first obtaining application of the binding relationship; determining when there is only to bind to the first terminal of the first binding relationship according to the application, generate an encryption key, and the first and the only application of the transmitting the generated encryption key to bind to said first terminal; and when the first application determining only the binding of a first terminal according to the absence of binding between an application, generating an encryption key, and the said first application to send an encryption key is generated.

16.根据权利要求15所述的加密通信方法，其特征在于，所述在接收第一应用的密钥更新请求或触发第一应用的更新设定规则时，获取所述第一应用的绑定关系包括: 从所述密钥更新请求中获取所述第一应用的标识，根据所述第一应用的标识获取所述第一应用的签约配置信息，根据所述第一应用的签约配置信息获取所述第一应用的绑定关系；或者， 从所述密钥更新请求中获取指示信息，根据所述指示信息获取所述第一应用的绑定关系；或者， 在确定触发第一应用的更新设定规则时，获取所述第一应用的签约配置信息，根据所述第一应用的签约配置信息获取所述第一应用的绑定关系。 16. The method of encrypted communication according to claim 15, wherein said receiving key update request in the first application or setting rule triggered update the first application, the first application to get a bound relationship comprises: obtaining the identifier of the first application from said key update request, obtain the subscription information of the configuration of the first application according to the identifier of the first application, obtained according to the configuration of the first application subscription information the binding relationship of the first application; or acquiring indication information from the key update request, obtain the binding relationship of the first application according to the indication information; or trigger update determination in the first application setting rules, obtaining the configuration information of the first subscription application, acquiring the binding relationship of the first application based on the subscription information of the first application configuration.

17.一种加密通信装置，其特征在于，应用于机器通信121系统的业务平台中，包括: 密钥分配单元，用于为仅与第一应用绑定的终端和所述第一应用分配相同的加密密钥；所述仅与第一应用绑定的终端为仅与所述第一应用通信且不与除所述第一应用外的其他应用通信的终端； 密钥存储单元，用于存储所述密钥分配单元为所述终端或所述第一应用分配的加密密钥； 加密通信单元，用于在根据所述密钥存储单元存储的加密密钥确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息。 17. An encryption communication apparatus, wherein the communication apparatus 121 is applied to a service platform system, comprising: a key distribution means, for the same terminal and the first application is assigned only bound to the first application encryption key; said first terminal to bind only to the terminal for communication with other applications only communicate with the first application and not in addition to said first application; key storage unit for storing the key distribution terminal means to said first application or the encryption key allocation; encryption communication means for the terminal and the first encryption key stored in the key storage unit is determined according to when the application uses the same encryption key to communicate transparently transmit information exchanged between the terminal and the first application.

18.根据权利要求17所述的加密通信装置，其特征在于，所述密钥分配单元，还用于为与多个应用绑定或未与任何应用绑定的终端单独分配加密密钥；在确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥。 18. The encryption communication apparatus according to claim 17, wherein the key distribution unit is further configured to assign a separate encryption key for the terminal and a plurality of bound or unbound application and any application; in only the first terminal is determined to bind the absence of the first application assigned to the individual encryption key.

19.根据权利要求18所述的加密通信装置，其特征在于，所述密钥分配单元包括: 请求接收子单元，用于接收由终端发送的注册请求或密钥获取请求； 绑定获取子单元，用于根据所述请求接收子单元接收的注册请求或密钥获取请求，获取所述终端的绑定关系； 密钥分配子单元，用于在根据所述绑定获取子单元获取的绑定关系，确定所述终端仅与第一应用绑定时，为所述终端分配与所述第一应用相同的加密密钥；或者，在根据所述绑定获取子单元获取的绑定关系，确定所述终端与多个应用绑定或未与任何应用绑定时，为所述终端单独分配加密密钥。 19. The encryption communication apparatus according to claim 18, wherein the key distribution unit comprises: a request receiving sub-unit, for receiving a registration request or the key obtaining request transmitted by the terminal; obtaining subunit binding , according to the request for the acquisition request receiving sub-unit receives the registration request or the key, obtain the binding relationship of the terminal; key distribution sub-unit, configured to obtain sub-unit according to the binding obtained binding relation, determines that the terminal is only bound to the first application when the terminal is assigned to the same encryption key with the first application; or, in the binding to the binding relationship obtaining subunit acquired determined said plurality of terminal applications and any bound or unbound application, the terminal is assigned to an encryption key separately.

21.根据权利要求19所述的加密通信装置，其特征在于，所述绑定获取子单元包括: 指示获取模块，用于从所述终端发送的注册请求或密钥获取请求中获取指示信息； 绑定获取模块，用于根据所述指示获取模块获取的指示信息获取所述终端的绑定关系。 21. The encryption communication apparatus according to claim 19, wherein the binding obtaining subunit includes: obtaining an indication means for transmitting a registration request from the terminal or a request for instructions to the key acquisition; binding obtaining module for obtaining the indication information obtaining module obtaining binding relationship according to the indication of the terminal.

22.根据权利要求19所述的加密通信装置，其特征在于，所述密钥分配子单元包括: 密钥获取模块，用于在根据所述终端的绑定关系确定所述终端仅与第一应用绑定，且已为所述第一应用分配加密密钥时，获取为所述第一应用分配的加密密钥； 密钥生成模块，用于在根据所述终端的绑定关系确定所述终端仅与第一应用绑定，且未为所述第一应用分配加密密钥时，生成所述终端对应的加密密钥；或者，在根据所述终端的绑定关系确定所述终端与多个应用绑定或未与任何应用绑定时，生成所述终端对应的加密密钥； 密钥发送模块，用于向所述终端发送所述密钥获取模块获取的加密密钥，或所述密钥生成模块生成的加密密钥。 22. The encryption communication apparatus according to claim 19, wherein said key distribution sub-unit comprises: a key obtaining module, for determining that the terminal according to the binding relationship between the terminal and only the first to bind, and when the first application has assigned an encryption key, an encryption key to obtain the first application assigned; key generating module, for determining the binding relationship according to the terminal to bind only to the first terminal, and not when the first application distribution encryption key, to generate an encryption key corresponding to the terminal; or, in the terminal is determined according to the binding relationship of the multiple terminals with a bound or unbound application and any application, generate an encryption key corresponding to the terminal; key transmission means for transmitting the terminal key to the encryption key obtaining part obtaining, or the key generation module generates the encryption key.

23.根据权利要求18所述的加密通信装置，其特征在于，所述密钥分配单元包括: 请求接收子单元，用于接收由第一应用发送的注册请求或密钥获取请求； 绑定获取子单元，用于根据所述请求接收子单元接收的注册请求或密钥获取请求，获取所述第一应用的绑定关系； 密钥分配子单元，用于在根据所述绑定获取子单元获取的绑定关系，确定仅与所述第一应用绑定的终端存在时，为所述第一应用分配与所述仅与所述第一应用绑定的终端相同的加密密钥；或者，在根据所述绑定获取子单元获取的绑定关系，确定仅与第一应用绑定的终端不存在时，为所述第一应用单独分配加密密钥。 23. The encryption communication apparatus according to claim 18, wherein the key distribution unit comprises: a request receiving sub-unit, configured to receive the acquisition request or the registration request sent by the first application key; obtaining binding sub-unit, configured to obtain, according to the registration request received by the request receiving sub-unit or key request, obtain the binding relationship of the first application; key distribution sub-unit, configured to obtain sub-unit according to the binding the obtained binding relationship, established with the same encryption key there is only the terminal with the first terminal to bind, bind only to the first application to the dispensing of the first application; or the binding when the binding relationship obtaining subunit acquired, determining the first application is only bound to the terminal is not present, the first application is assigned a separate encryption key.

24.根据权利要求23所述的加密通信装置，其特征在于，所述绑定获取子单元包括: 标识获取模块，用于从所述第一应用发送的注册请求或密钥获取请求中获取所述第一应用的标识； 信息获取模块，用于根据所述标识获取模块获取的标识获取所述第一应用的签约配置信息； 绑定获取模块，用于根据所述信息获取模块获取的签约配置信息，获取所述第一应用的绑定关系。 24. The encryption communication apparatus according to claim 23, wherein the binding obtaining subunit includes: an identifier obtaining module, configured to acquire the registration request from the first application or the key obtaining request sent by identifies said first application; information obtaining module, configured to obtain the configuration of the first application subscription information according to the identifier obtaining module obtains the identifier; binding obtaining module, according to the subscription information obtaining module configuration information, acquiring the binding relationship of the first application.

25.根据权利要求23所述的加密通信装置，其特征在于，所述绑定获取子单元包括: 指示获取模块，用于从所述第一应用发送的注册请求或密钥获取请求中获取指示信息； 绑定获取模块，用于根据所述指示获取模块获取的指示信息获取所述第一应用的绑定关系。 25. The encryption communication apparatus according to claim 23, wherein the binding obtaining subunit includes: instruction acquisition means for acquiring an indication from the acquisition request or the registration request sent by the first application key information; binding acquiring module, for acquiring the indication information obtaining module obtaining binding relationship according to the indication of the first application.

26.根据权利要求23所述的加密通信装置，其特征在于，所述密钥分配子单元包括: 密钥获取模块，用于在根据所述第一应用的绑定关系确定仅与所述第一应用绑定的终端存在，且已为所述仅与所述第一应用绑定的终端分配加密密钥时，获取为所述仅与所述第一应用绑定的终端分配的加密密钥； 密钥生成模块，用于在根据所述第一应用的绑定关系确定仅与第一应用绑定的终端存在，且未为所述仅与所述第一应用绑定的终端分配加密密钥时，生成所述第一应用对应的加密密钥；或者，在根据所述第一应用的绑定关系确定仅与第一应用绑定的终端不存在时，生成所述第一应用对应的加密密钥； 密钥发送模块，用于向所述第一应用发送所述密钥获取模块获取的加密密钥，或所述密钥生成模块生成的加密密钥。 26. The encryption communication apparatus according to claim 23, wherein said key distribution sub-unit comprises: a key obtaining module, for use in determining binding relationship according to the first and the second application only a terminal is present to bind, and when the encryption key has been assigned only to the binding terminal and the first application acquires an encryption key assigned only to the first terminal to bind the ; key generating module, for use in determining the presence of only the first terminal to bind to the binding relationship according to the first application, the encryption has not been assigned to the terminal only bound to the first application key when generating the encryption key corresponding to a first application; or, only when it is determined to bind the first terminal does not exist according to the binding relationship of the first application, the first application generating corresponding encryption key; key transmission means for transmitting the first application to the key acquisition module acquires the encryption key or the key generation module generates the encryption key.

27.根据权利要求17-26任一所述的加密通信装置，其特征在于，所述密钥分配单元还包括: 更新触发判定子单元，用于在接收第一终端的密钥更新请求或触发第一终端的更新设定规则时，判定执行所述第一终端对应的更新； 更新绑定获取子单元，用于在所述更新触发判定子单元判定执行所述第一终端的更新时，获取所述第一终端的绑定关系； 更新密钥生成子单元，用于在根据所述更新绑定获取子单元获取的绑定关系确定所述第一终端仅与第一应用绑定时，确定仅与所述第一应用绑定的终端，生成确定的终端和所述第一应用对应的加密密钥；或者，在根据所述更新绑定获取子单元获取的绑定关系确定所述第一终端与多个应用绑定或未与任何应用绑定时，生成所述第一终端对应的加密密钥； 更新密钥发送子单元，用于向所述第一应用以及仅与所述第一应 27. The encryption communication apparatus according to any one of claims 17-26, wherein said key distribution unit further comprising: an update trigger determination subunit, a first terminal for receiving the key update request or trigger when updating the rule set, the first terminal determines that the first terminal performing corresponding updating; obtaining subunit binding update, the update trigger for determining when to perform the update sub-unit determines that the first terminal, acquires the binding relationship of the first terminal; updating key generation sub-unit, for determining when the first terminal is only bound to the first application according to the updated binding obtaining subunit acquires binding relationship, determined only to bind to the first terminal, the terminal and generates a determination of the encryption key corresponding to the first application; or, in the binding relationship according to the updated binding obtaining sub-unit determines that the acquired first when a plurality of terminal applications and any bound or unbound application, generating the encryption key corresponding to the first terminal; updating key sending subunit, configured to only the first application and the first should用绑定的终端发送所述更新密钥生成子单元生成的加密密钥；或者，向所述第一终端发送所述更新密钥生成子单元生成的加密密钥。 Transmitting the binding update with the terminal encryption key generated by the key generation subunit; or sending the update key encryption key generated by the generating subunit to the first terminal.

28.根据权利要求17-26任一所述的加密通信装置，其特征在于，所述密钥分配单元还包括: 更新触发判定子单元，用于在接收第一应用的密钥更新请求或触发第一应用的更新设定规则时，判定执行所述第一应用对应的更新； 更新绑定获取子单元，用于在所述更新触发判定子单元判定执行所述第一应用的更新时，获取所述第一应用的绑定关系更新密钥生成子单元，用于或者，在根据所述更新绑定获取子单元获取的绑定关系确定仅与所述第一应用绑定的终端存在时，生成所述第一应用以及所述仅与所述第一应用绑定的终端对应的加密密钥；或者，在根据所述更新绑定获取子单元获取的绑定关系确定仅与所述第一应用绑定的终端不存在时，生成所述第一应用对应的加密密钥； 更新密钥发送子单元，用于向所述第一应用以及仅与所述第一应用绑定的终端发送 28. The encryption communication apparatus according to any one of claims 17-26, wherein said key distribution unit further comprising: an update trigger determination sub-unit, configured to receive the first application key update request or trigger when updating the rule set determines a first application corresponding to the execution of the first application update; obtaining subunit binding update, the update trigger for determining when to perform the update sub-unit determines that the first application acquires the binding relationship of the first application updating key generation subunit, or for, the binding relationship according to the updated binding obtaining sub-unit determines that there is only acquired the first application of the binding terminal, generating an encryption key only to bind to the first terminal of the first application and corresponding to said; or determining the binding relationship according to the updated binding obtaining sub-unit acquires only the first to bind the terminal does not exist, generating the first encryption key corresponding to the application; updating key sending subunit, configured to send the first application and the terminal only bound to the first application述更新密钥生成子单元生成的加密密钥；或者，向所述第一应用发送所述更新密钥生成子单元生成的加密密钥。 Updating said encryption key generated by the key generation subunit; or sending the update key encryption key generated by the generating subunit to the first application.

29.一种加密通信系统，应用于机器通信121系统中，其特征在于，包括终端和业务平台和第一应用； 所述业务平台，用于为仅与所述第一应用绑定的终端和所述第一应用分配相同的加密密钥；在确定所述终端与所述第一应用使用相同的加密密钥进行通信时，透传所述终端与所述第一应用之间交互的信息；所述仅与第一应用绑定的终端为仅与所述第一应用通信且不与除所述第一应用外的其他应用通信的终端； 所述终端，用于获取所述业务平台分配的加密密钥，并根据获取的加密密钥对与所述第一应用之间交互的信息进行加密或解密； 所述第一应用，用于获取所述业务平台分配的加密密钥，并根据获取的加密密钥对与所述终端之间交互的信息进行加密或解密。 29. An encrypted communication system, applicable to machine communication system 121, wherein the service platform, and comprising a terminal and a first application; the service platform, is only used to bind the first terminal and the first application assigned the same encryption key; determining when the terminal and the first application using the same encryption key for communication, the terminal information transmitted through an interaction between the first application; the dispensing terminal, configured to acquire the service platform; said first terminal to bind only to the first application only and not with other terminals in communication with other communication applications outside the first application encryption key, and acquires the encryption key to encrypt or decrypt the information exchange between the first application according to; the first application, configured to obtain the encryption key distribution service platform, and according to obtain the encryption key information exchange between the terminal and to encrypt or decrypt.